Troubleshooting

Do not manually delete any Tanium content that includes Comply in the name for any reason. Deleting Tanium content can cause Comply to stop working correctly.

Issues with CIS-CAT for Comply 1.3.2 or earlier

Due to an expired CIS certificate, all CIS-CAT engines supported by Comply 1.3.2 or earlier will fail signature validation, which causes the engine not to run.

To resolve this issue, upgrade to Comply 1.3.3 or later. The tools in Comply 1.3.3 and later provide a work-around for this issue. After deploying these tools, all versions of CIS-CAT will work correctly. Comply 1.3.3 and later also adds support for CIS-CAT 3.0.43, which contains code signed with a valid certificate.

If you are unable to upgrade Comply, contact your TAM.

Issues with CIS-CAT v4.0.19 or later

Comply 2.6 includes preliminary support for the CIS-CAT v4.0.19 engine. In this preliminary support stage, the CIS-CAT v4 engine should only be used for testing purposes in a lab environment. The CIS-CAT v4 engine does not successfully assess multiple supported operating systems. Therefore, it is strongly recommended that the CIS-CAT v4 engine is not deployed or used in any production environments.

Deployments do not run as expected

Check for the following error messages if a deployment does not run as expected:

Some machines included in this deployment cannot be deployed to.

Ensure that targeted endpoints have enough disk space to accommodate deployments.

Some machines included in this deployment don't have the system utilities required to complete a scan.

Linux or macOS endpoints do not have the UNIX utilities installed that are required for Comply to work correctly.

Collect support bundle

You might need to collect a support bundle that includes logs associated with Comply for troubleshooting purposes when working with technical support or your TAM.

You must have the Comply Administrator role to collect the support bundle. For more information about Comply roles, see User role requirements.

  1. On the Comply Home page, click Help .
  2. On the Troubleshooting tab, in the Support Request section, click Create Package to download a support bundle of files to provide to your TAM or technical support.

Locate log files

You might need to locate log files on your endpoint or on the Tanium Module Server for troubleshooting purposes when working with technical support or your TAM.

Endpoint log files

Comply log files are created on endpoints at the following path: <Tanium Client>\Tools\Comply\logs

Log files for each scan are keyed by report hash. Only the most recent file is kept.

Tanium Module Server log files

Comply log files are created on the Tanium Module Server at the following path: <Module Server>\services\comply-service\logs

Service log files are found here.

Recreate JRE encryption key

If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key.

  1. On the Comply Home page, click Settings .
  2. On the JRE Encryption Key tab, click Generate Random Key to generate a new JRE encryption key.




  3. You can provide your own encryption key; however, as a best practice you should generate a random key.

  4. Enter your credentials and click OK.
  5. If you have existing reports on endpoints with an encrypted JRE, those reports must be redeployed. In addition, all existing encrypted deployments must be redeployed so they are updated with the new key.

Monitor and troubleshoot endpoints with critical or high vulnerabilities

The following table lists contributing factors into why the Comply endpoints with critical or high vulnerabilities metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from vulnerability reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for vulnerability reports. Make sure that vulnerability reports run on a periodic schedule.
Vulnerability reports do not include endpoints that were offline at the time of the initial report schedule Change your vulnerability report scheduling to use Using report age, and instead of running a weekly report, set the report result maximum age to 7 days. For more information, see Create a vulnerability report.

With this configuration, Comply continuously checks for and attempts to assess endpoints as they come online, as long as they do not already have findings that are newer than 7 days. This setting allows global organizations and "follow the sun" models to continuously scan managed endpoints as they come online around the world, regardless of timezone or the original scan execution time.

OVAL checks do not align with locally developed guides or industry frameworks Use custom ID mapping and custom scoring to align CVEs to the frameworks on which you report.

For more information, see Customizing vulnerability results.

Uninstall Comply

If you need to uninstall Comply, first clean up the Comply artifacts on endpoints and then uninstall Comply from the server.

Remove Comply content and tools from endpoints

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to remove Comply content and tools. For example, Get Comply - Tools Version from all machines returns all endpoints with the Comply tools installed.
  3. Select the endpoints from which you want to remove Comply content and tools.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Comply - Remove in the Enter package name here field.
  6. Select either the Comply - Remove Client Files - Windows or Comply - Remove Client Files - Unix action, as appropriate. For more information, see Tanium Platform User Guide: Managing Scheduled Actions.
  7. Check Remove ALL Comply files if you want to remove all Comply content and tools or select only the content and tools you want to remove.
  8. Click Show preview to continue.
  9. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove the Comply solution from the Tanium Module Server

  1. From the Main menu, click Tanium Solutions.
  2. In the Comply section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Tanium Solutions page and verify that the Import button is available for Comply.