Creating vulnerability assessments

You can create a new assessment on the Assessments page or create one using an existing standard on the Standards page. You must have the Comply Report Administrator role to create assessments that used client-based scanning. You must have the Comply RAS Assessment Create role to create assessments that use remote authenticated scanning. For more information about Comply roles, see User role requirements.

Configure a client-based scan assessment

  1. Select Assessments from the Comply menu.
  2. Select Vulnerability from the Create Assessment drop-down button.
  3. On the Create Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning. (The following instructions are for this scan method.)
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. See Configure a remote authenticated scan assessment for details.
    • Network unauthenticated: Find vulnerabilities on unmanaged endpoints in your environment using Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed and cannot be authenticated to. You can also do distributed scans using the Discover module. See Configure a network unauthenticated scan assessment for details.
  5.  In the Targeting section:

    • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection.

    Be sure to select the appropriate platform and Computer Groups containing endpoints that align with the Platform.

  6. The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.
  7. Select a Platform.
  8. Select the Engine. The Engine field displays only when more than one engine is installed.
  9. Select either Low or Normal from the Comply Process Priority drop-down list.

    If you select Low, the Comply scan process yields processor utilization to other processes running on the machine. If you select Normal, the scan process runs with the same priority as other processes on the machine.

    Selecting Low might increase the duration of the scan processes on endpoints with high processor utilization.

  10. Optionally, when the Tanium Scan Engine is selected, you can enable the Include network drives in scan check box. Network drives are not included in scans by default. Scanning them can be time-consuming and resource intensive.
  11. Select the Source from the drop-down list in the Vulnerability Content section.
  12. Select an Operating System.
  13. Specify the Range of CVEs. The Preview section on the right will show the number of CVEs and Definitions that will be included in the report.

    You can specify now in the Range of CVEs field as the end of a range. For example, entering 2016-now will run the report against all Common Vulnerabilities and Exposures (CVEs) from 2016 to the current date. By using this format, you can easily define a range that always is current.
    As a best practice, scan more frequently for recently released high and critical vulnerabilities (for example, 2018-now high and critical on a weekly basis), and conduct scans against all vulnerabilities less frequently (for example, monthly or quarterly).

  14. Check the scores you want to see in CVSS Score.
  15. List specific CVEs in the List of Individual CVEs field.



    If you specify a List of Individual CVEs, they will always be included in the report regardless of the values specified for Range of CVEs or CVSS Score. To search by year and score, you must provide values for both fields for the search to be valid. If you specify Range of CVEs, you must select at least one score in CVSS Score. If you select a score in CVSS Score, you must specify Range of CVEs. If you list specific CVEs, you can choose to leave the Range of CVEs field blank and select no CVSS Score.

    If you have previously saved a report with values for List of Individual CVEs, Range of CVEs, or CVSS Score, these values will remain the same for the next vulnerability report you create. You can edit these values as needed.

  16. Specify the Batch Size.

    Batch Size defines the number of checks that will run at a time. In order to run a manageable number of checks on your endpoints, the default value for this field is 500 for CIS-CAT and SCC, and the default is 2000 for Tanium Scan Engine (powered by JovalCM).
    This setting does not typically need to be adjusted from the default value.

  17. Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

    The date and time displayed by default is the local browser time.

  18. Select the Distribute Over option and enter values to run the report over minutes, hours, or days. See Tanium Console User Guide: Deploying actions for information on how the Distribute over option works.
  19. Select Interval, Using report age, or Never for the Repeat field.
    • If you choose Interval, the Reissue every field displays, and you can specify how often the report is run.
    • If you choose Using assessment age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the assessment is run. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked every hour.

      Use the Using assessment age option and set it to 7 days.

  20. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

Configure a remote authenticated scan assessment

Remote authenticated scanning is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed. For all other endpoints, you should use client-based scanning for performance reasons and to take advantage of the linear chain architecture.

Before you begin

    Review Reference: Remote authenticated scanning before configuring this feature.

  • Remote authenticated scanning requires specific versions of other Tanium solutions. See Remote authenticated scanning requirements.
  • Tanium Client operating system support for executing remote authenticated scans is the same as Tanium Client support (see Tanium Client Management User Guide: Client version and host system requirements) with the following exceptions.
  • See Host and network security requirements for remote authenticated scanning port requirments.
  • The following RBAC role is required: Comply RAS Assessment Creator. See User role requirements
  • Create satellites in Tanium Direct Connect. See Tanium Direct Connect User Guide: Managing satellites.
  • Plan your targeting. When you configure remote authenticated scans, you can manually enter IP addresses (ranges, CIDR, etc.) to be scanned by the selected satellite or you can choose to scan endpoints found by Tanium Discover (Discovered Endpoints). If you are targeting Discovered Endpoints, you must run satellite scans in Tanium Discover before you configure the assessment. See Tanium Discover User Guide: Running satellite scans.

    More information about targeting:

    • Targeting IP addresses: When using IP address targeting (the default), the addresses you enter do not have to be on the same subnet as the satellite to be scanned. They only have to be reachable by the satellite.
    • Targeting Discovered Endpoints: When targeting Discovered Endpoints, if an endpoint does not match Tanium Discover's Promote Unmanaged Interface label, that endpoint is not promoted to Tanium Data Service (TDS). If an endpoint is not promoted to TDS, it cannot be scanned by Comply. Therefore you must promote interfaces to TDS in Tanium Discover. See Tanium Discover User Guide: Managing interfaces. Note that because Tanium Discover cannot get the MAC address from endpoints that are not in the same subnet as the satellite, only endpoints in the same subnet as the satellite will be scanned.
  • Configure credentials in Tanium Comply. See Configure credentials lists for remote-authenticated scans.
      • Do not target the same unmanaged assets with multiple remote authenticated scan assessments.
      • Target a maximum of 4,096 unmanaged assets per remote authenticated scan assessment or the equivalent of a /20 network.

To configure a remote authenticated scan assessment, do the following:

  1. Select Assessments from the Comply menu.
  2. Select Vulnerability from the Create Assessment drop-down button.
  3. On the Create Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning.
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. Note that remote authenticated scanning only supports using the Tanium Scan Engine. (The following instructions are for this scan method.)
    • Network unauthenticated: Find vulnerabilities on unmanaged endpoints in your environment using Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed and cannot be authenticated to. You can also do distributed scans using the Discover module. See Configure a network unauthenticated scan assessment for details.


  5. In the Satellite section, select a satellite to perform the scan.
  6. In the Targeting section, select a Targeting Type.

      If you use IP addresses (the default), the addresses you enter do not have to be on the same subnet as the satellite to be scanned. If you use discovered endpoints, because Tanium Discover cannot get the MAC address from endpoints that are not in the same subnet as the satellite, only endpoints in the same subnet as the satellite will be scanned.

    • IP Addresses:
      • In the Included Networks field, enter a comma separated list of IP addresses, IP address ranges, or CIDR addresses. You can also click the Copy button to upload a text file containing IP addresses, IP ranges, or CIDRs separated either by commas or carriage returns.
      • In the Excluded Networks field, enter IP addresses, IP address ranges, or CIDR addresses to be excluded from the scan. You can enter them manually or upload a file of addresses.



      • Be sure to enter IP addresses that the selected satellite can reach.

        4,096 is the maximum number of addresses that can be included in a scan. When you click the Create button, a calculation takes place to determine the number of included addresses less the number of excluded addresses to determine the final amount.

    • Discovered Endpoints: Click the +ROW or +Grouping button to view the Select Attribute field. Select from the following Attribute combinations to filter the list of discovered endpoints:
    • AttributeAvailable OperatorsValue
      IP Addressis equal to, is not equal to, contains, does not containEnter a single IP address or multiple addresses, each separated by a comma. For example, 192.168.1.1, 192.168.1.3
      Discover Labelsinclude one of, include all ofSelect one or more labels configured in Tanium Discover. See Tanium Discover User Guide: Labels for more information.
      IP RangeequalsEnter an IP address range. For example, 192.168.1.1 - 192.168.1.150
      CIDRequalsEnter an IP address range in CIDR format. For example, 192.168.1.0/24
      OS Platformcontains, does not containEnter text for targeting a specific OS.

      To select multiple items in the Value field, click within the field after adding an item, and you can select additional items.

      Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new target to the group. Use the Grouping button to build another And/Or combination for targeting. Click Apply for each selection.

    • In the Preview section for Discovered Endpoints, click the Show Preview button to view the list of unmanaged endpoints you selected for targeting. You can use the information in the preview grid to expand or narrow your targeting. For example, you can target a satellite initially and then add an IP range to further filter your targets based on what you observed in the preview.

  7. Select the Credential List for this assessment. You can only use one list per assessment. In order for satellites to perform secure scans of non-Tanium endpoints, the login credentials for those endpoints are required. See Configure credentials lists for remote-authenticated scans.
  8. Make sure the credential list you select matches the targeting in the assessment. If too many incorrect credentials are attempted and fail, this could trigger security alerts and cause account lockouts.

  9. Optionally but not recommended, in the Subsequent Scan Configuration section, enable the Include new endpoints found on recurring scans check box. By default, if scans are recurring, Comply only scans endpoints that were reachable during the initial scan. If new endpoints come online, they are not scanned unless you change the assessment's targeting or select this check box.
  10. If you enable the Include new endpoints found on recurring scans check box and your network is compromised at any point after the initial scan, a honeypot could be installed in your environment that matches the scan configuration requirements. If that occurs, an unmanaged endpoint could capture the credentials being passed to it and use them with malicious intent.

  11. Enabled by default and recommended when you use SSH key and SSH password credentials, use Trust on First Use for fingerprint comparison. With this feature enabled, Comply will collect the SSH fingerprint the first time an endpoint connects. For every future connection, Comply will check to make sure the endpoint presents the same SSH fingerprint. If it does not, Comply will log a Fingerprint Mismatch Error. An endpoint that fails the fingerprint check will not be logged into or scanned.


  12. If you receive a fingerprint mismatch error, you can click on the assessment error message and then click through to the endpoint to accept the new key to resolve the error.



  13. Select the Source from the drop-down list in the Vulnerability Content section.
  14. Select an Operating System.
  15. Specify the Range of CVEs. The Preview section on the right will show the number of CVEs and Definitions that will be included in the report.

    You can specify now in the Range of CVEs field as the end of a range. For example, entering 2016-now will run the report against all Common Vulnerabilities and Exposures (CVEs) from 2016 to the current date. By using this format, you can easily define a range that always is current.
    As a best practice, scan more frequently for recently released high and critical vulnerabilities (for example, 2019-now high and critical on a weekly basis), and conduct scans against all vulnerabilities less frequently (for example, monthly or quarterly).

  16. Check the scores you want to see in CVSS Score.
  17. List specific CVEs in the List of Individual CVEs field.

    If you specify a List of Individual CVEs, they will always be included in the report regardless of the values specified for Range of CVEs or CVSS Score. To search by year and score, you must provide values for both fields for the search to be valid. If you specify Range of CVEs, you must select at least one score in CVSS Score. If you select a score in CVSS Score, you must specify Range of CVEs. If you list specific CVEs, you can choose to leave the Range of CVEs field blank and select no CVSS Score.

    If you have previously saved a report with values for List of Individual CVEs, Range of CVEs, or CVSS Score, these values will remain the same for the next vulnerability report you create. You can edit these values as needed.

  18. Specify the Batch Size.

    Batch Size defines the number of checks that will run at a time. In order to run a manageable number of checks on your endpoints, the default value for this field is 500 for CIS-CAT and SCC, and the default is 2000 for Tanium Scan Engine (powered by JovalCM).
    This setting does not typically need to be adjusted from the default value.

  19. Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

    The date and time displayed by default is the local browser time.

  20. Select the Distribute Over option and enter values to run the report over minutes, hours, or days. See Tanium Console User Guide: Deploying actions for information on how the Distribute over option works.
  21. Select Interval, Using report age, or Never for the Repeat field.
    • If you choose Interval, the Reissue every field displays, and you can specify how often the report is run.
    • If you choose Using assessment age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the assessment is run. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked every hour.

      Use the Using assessment age option and set it to 7 days.

  22. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

Remote authenticated scan workflow

When a remote authenticated scan begins, it asks the Comply service for its targets and credentials. The service uses the scan’s criteria for IP inclusion to query for currently reachable targets for that satellite and sends that list to the client to execute the scan. Scheduled periodic RAS scans do not automatically include new targets as they are identified by the associated Tanium Discover scan. Reoccurring assessments will only include the unmanaged assets that were reachable at the time of the initial scan, unless you select the Include newly discovered endpoints on reoccurring scans check box, which is not recommended.

Create a vulnerability report from the Standards page

Select Standards from the main menu, select the Vulnerability tab, and click Create next to the vulnerability standard for which you want to create an assessment.

Configure a network unauthenticated scan assessment

You can find vulnerabilities on managed and unmanaged endpoints in your environment by creating a network unauthenticated vulnerability assessment. Unlike remote authenticated scanning, which requires credentials for all endpoints, network unauthenticated scanning allows you to use satellite targeting to scan unmanaged devices without having to authenticate to them. You can also configure distributed targeting in Comply using the Discover module.

Before you begin

  • If you are using satellite targeting, you must create satellites in Tanium Direct Connect. See Tanium Direct Connect User Guide: Managing satellites. Tanium Discover is not required for satellite scans.
  • If you're using distributed targeting, you must have the Discover module installed and configured. You must also have the following privileges: Discover Profile Read to view a network unauthenticated vulnerability assessment and Discover Profile Write. There is background information and detailed instructions for this section in the Tanium Discover User Guide.

    • You must use Discover 4.0 or later.
    • Discover currently scans only for IPv4 addresses.

To configure a network unauthenticated scan assessment, do the following:

  1. From the Comply menu, select Assessments.
  2. Click the Create Assessment button and select Vulnerability.
  3. In the Summary section, enter a Name for the assessment.
  4. Select a Scan Method:
    • For this assessment type, select Network Unauthenticated.

      With this scan type, you can do a distributed scan or you can use satellite targeting to scan unmanaged devices without having to authenticate to them.
  5. You can provide Labels to further identify the assessment.
  6. In the Targeting section, select a Targeting Type.
    • Satellite - With a satellite scan, you manually enter IP addresses (ranges, CIDR, etc.) to be scanned by the selected satellite. The addresses you enter do not have to be on the same subnet as the satellite. They only have to be reachable by the satellite. You can view these results using remote reports. See Create a network unauthenticated report.
      • In the Included Networks field, enter a comma separated list of IP addresses, IP address ranges, or CIDR addresses. You can also click the Copy button to upload a text file containing IP addresses, IP ranges, or CIDRs separated either by commas or carriage returns.

      • In the Excluded Networks field, enter IP addresses, IP address ranges, or CIDR addresses to be excluded from the scan. You can enter them manually or upload a file of addresses.

      • 4,096 is the maximum number of addresses, or a /20, that can be included in a scan. When you click the Create button, a calculation takes place to determine the number of included addresses less the number of excluded addresses to determine the final amount.

    • Distributed - Scan endpoints in the same subnets as existing Tanium Clients. This uses the Discover module to run Nmap scans. Results from distributed scans are not viewable in Comply Findings. You can view these results using remote reports. See Create a network unauthenticated report.
      • Under Scan Inclusions, specify Tanium Client networks to scan as part of this assessment.
        • All Networks: It is recommended you include all networks in the scan.

        • Specific Networks: Enter the IP addresses for specific networks to include in the scan. Tanium clients within those networks will perform the scan.

        • Computer groups: Select specific computer groups to include in the scan.

          These are the computers from which the results will be pulled.
      • Under Scan Exclusions, specify networks to exclude from the assessment. You can select multiple options.
        • Isolated Subnets/Systems: Select this check box to prevent devices that have no peers from performing scans.

        • Specific Networks: Enter IP addresses to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.

        • VPN Networks: Enter VPN networks to be excluded from scans. This prevents computers that are not on the network from being scanned. These can be single addresses, address ranges, or comma-separated CIDRs.

        • Zone Servers: Enter zone servers to be excluded from scans. This prevents computers that are not on the network from being scanned by using IP addresses or host names of DMZ facing servers. These can be IP addresses or host names separated by commas.

  7.  In the Port Specification section, select one of the following:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

    • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.

    • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.

    • Source Port: Specify a source port from which Nmap on clients attempts to run scans.

  8.  In the Scan Frequency section, specify how often you want the scan to run.
  9. Click Create or Create & Deploy and enter your credentials.
  10. View findings

    To view findings for satellite and distributed scans:

Create a network unauthenticated report

  1. From the Comply menu, select Reports.

  2. Select the Network Unauthenticated tab.
  3. Click the Create Report button and select Network Unauthenticated.
  4. Enter a Name.
  5. Select a Content Set. See Tanium Core Platform User Guide: Managing RBAC for information on content sets.
  6. Under Targeting, select a Targeting Type:
  7. The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.

    • All - The report will include findings from all network unauthenticated scan target types. Select a satellite and one or more computer groups to configure the report.
    • Satellite - The report will include findings from network unauthenticated scans with satellite targeting.
      • Select a Satellite for the report.
    • Distributed - The report will include findings from network unauthenticated scans with distributed targeting.
      • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. Click Apply for each selection.
  8. Click Create.

Status definitions

View the status of an assessment in the Status column on the list page. Hover over the icon to see one of the following statuses:

Loading

No statistics have been received from the Comply service for the assessment.

Pending

At least one endpoint in the assessment has not yet run the scan, but there are no scan errors.

Success

The assessment has at least one successful run with no errors and no scans not run.

Error

The assessment has at least one endpoint that produced an error during the scan.

Warning

Any issue that does not fall into the other status categories.

You must reload the page to update the status column.

Run an assessment again

On the Assessments page, select an assessment and click Deploy Now to run it again.

Run an on-demand scan

On-demand scans are only supported for client-based assessments.

An on-demand scan lets you run an assessment at the push of a button using existing targeting or with additional filters. Optionally, you can run the assessment with or without debug enabled.

To run an on-demand scan:

  1. Select the check box for an assessment or click the arrow for the fly-out window to access the Run on-demand scan button.

  2. Click the Run on-demand scan button and optionally configure the following:
    • Select the Run with Debug check box - Debug is only available for the Tanium Scan Engine. With debug enabled, scans are run with more detailed logging and additional output that the CX stores is available to view (see Client extensions). A debug zip as well as an xml file are produced in /opt/Tanium/TaniumClient/extensions/comply/data/results/joval-<assessment ID>
    • Configure additional filtering - Select Individual Endpoints and enter those endpoints into the edit field or select Computer Group and choose a group to filter by.
  3. Click the Run Scan button.




Export an assessment

The following instructions are for exporting one assessment at a time. To export findings using Tanium Connect, see Exporting findings and assessments for instructions.

  1. On the Assessments page, select an assessment and click the Export icon . You can only export one assessment at a time. If you have more than one assessment selected, the Export icon is not displayed.
  2. In the Export Assessment window, provide the following:
    • Vulnerability
      1. Enter an Assessment Name.
      2. Optionally, enter a Description.
      3. Enter a File Name.
      4. Select a Format: HTML or CSV. If you select CSV, no further information is required.
      5. Select one or more Results Display types for the export: Details, Endpoint List, Open Ports (if applicable), and Vulnerability Test Criteria.
      6. Click Export.
  3. Go to the Reports > Exports page to view the progress of any report export jobs currently running. The last column in the results table on indicates the status of the report export job.

  4. When the export report is complete, select the export and click the Download icon to download the report in the format you selected.


Update vulnerability assessments

When vulnerability sources are updated and contain new definitions that match an assessment's vulnerability content, the assessment will get the updated feed the next time it is deployed. That process occurs automatically if it is deployed by a set schedule. If the vulnerability assessment does not have a recurring schedule, you must manually deploy it to receive the new vulnerability feed.

This does not apply to configuration compliance assessments, which require a new assessment to use updated configuration compliance standards.

Edit an assessment

  1. On the Assessments page, select the assessment you want edit and click the Edit icon .
  2. Edit the Name if needed.
  3. Add labels in the Labels field. Click the X next to a label to remove it.
  4. Change the Engine if needed.
  5. Change the Comply Process Priority if needed.
  6. Select Start at and End at and complete the date and time values to limit the assessment to run only during a specific time period. The date and time displayed by default is the local browser time.
  7. Select the Distribute over and enter values to run the assessment over minutes or hours.
  8. Select None, Interval, or Use assessment age for the Repeat field.
    • If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
    • If you choose Interval, the Reissue every field will appear, and you can specify how often the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If you choose Interval and do not enter a value for End At, the assessment will run at the specified interval forever.
    • If you choose Use assessment age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the assessment will continue to run forever.
  9. Click Save.

Delete an assessment

Vulnerability assessments are updated automatically.

You cannot delete a standard, custom check, or custom ID mapping if they are associated with an assessment.