Comply requirements

Review the requirements before you install and use Comply.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Comply

  • Tanium™ Core Platform servers: 7.4.1.1939 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the serverTanium™ Cloud automatically imports the computer groups that Comply requires.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Comply to function (required dependencies) or for specific Comply features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Comply dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Comply requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Comply, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Comply to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Comply, the server automatically updates those dependencies to the latest available versions.

If you select only Comply to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Comply has the following required dependencies at the specified minimum versions:

  • Tanium™ Connect 4.10.5 or later (To customize columns for exports, you must have Connect 5.8.49 or later)
  • Tanium™ Discover 3.0 or later required for remote vulnerability reports
  • Tanium™ Endpoint Configuration 1.2 or later

  • Endpoint Configuration is installed as part of Tanium™ Client Management 1.7 or later.

  • Tanium™ Interact 2.11.58 or later

  • Tanium™ Trends 3.6 or later

  • Tanium™ Reporting service 1.3.12 or later

    • Tanium™ API Gateway 1.1.13 or later

    • Tanium™ Blob service 1.0.6 or later

  • Tanium™ RDB service 1.0.84 or later

  • Tanium™ System User service 1.0.40 or later

Feature-specific dependencies

If you select only Comply to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Comply has the following feature-specific dependencies at the specified minimum versions:

Remote authenticated scanning requirements

  • Tanium Core Platform 7.4.1.1939 or later
  • Tanium Comply 2.11 or later
  • Tanium Direct Connect 2.1 or later
  • Tanium Discover 4.5.144 or later
  • Tanium Interact 2.11.58 or later

Client extensions

Tanium Endpoint Configuration installs client extensions for Comply on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Comply functions:

  • Comply CX - Provides Comply functions on the endpoint. Tanium Comply installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.

Endpoints

Supported operating systems

Tanium Client operating system support for Comply is the same as Tanium Client support (see Tanium Client Management User Guide: Client version and host system requirements) with the following addition.

Operating SystemVersion
AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploying the Tanium Client to AIX endpoints using a package file.

The Tanium Scan Engine (TSE) is required for compliance assessments that leverage Tanium Certified standards.

Disk space requirements

Endpoints must have at least 200 megabytes (MB) available in free disk space.

Disk space recommendations for satellites running remote authenticated scans

Satellite endpoints should have a minimum of 16 gigabytes (GB) RAM and 4 CPUs.

Scan engines

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 11.x is provided for use with supported Windows endpoints. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Operating systemOperating system versionSupported JRE distributions and versionsCan deploy using Comply?
Microsoft Windows ServerMicrosoft Windows Server 2008 R2

Java version 8 distributions provided by Oracle

Yes
Microsoft Windows Server 2012 and 2012 R2
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows Server 2016 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows WorkstationMicrosoft Windows 7 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
macOSmacOS 10.13 High Sierra and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
  LinuxAmazon Linux 1 AMI (2016.09, 2018.03)
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Amazon Linux 2 LTS
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Oracle Linux 5.x and laterJava version 8 distributions provided by OracleYes3
Debian 8.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Red Hat Enterprise Linux (RHEL) 5.xJava version 8 distributions provided by OracleYes63
Red Hat Enterprise Linux (RHEL) 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
CentOS 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
SUSE Linux Enterprise Server (SLES) 12.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
openSUSE 12.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Ubuntu 14.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
AIX1IBM AIX 7.1 TL1SP10 and later2IBM JRE 8 Yes3
OpenJDK JRE version 8 with the HotSpot JVMYes4
IBM AIX 7.2IBM JRE version 8 Yes3
OpenJDK JRE version 8 with the HotSpot JVM Yes4
Solaris52Oracle Solaris 10 SPARCOracle JRE 8 Yes63
Oracle Solaris 10 x8621Oracle JRE 8 Yes63
Oracle Solaris 11 SPARCOracle JRE 8 Yes63
Oracle Solaris 11 x8621Oracle JRE 8 Yes63

1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.

2164-bit only.

3Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX endpoints.

4Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release.

52The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.

63Only version 8 is supported for deployment through Comply.

Amazon Coretto Java Runtime Environment (JRE) version 11.x is provided for use with supported Windows endpoints.

For more information, see Working with scan engines and JREs.

Unmanaged Endpoints

This section refers to remote authenticated scan support for unmanaged endpoints. Unmanaged endpoints are endpoints that do not have the Tanium Client installed. Comply provides standards for scanning the following unmanaged endpoints using a remote authenticated scan:

Operating systemOperating system version
Cisco Systems

  • IOSXE, IOS

  • Firewall

  • ASA

VMware
  • ESX

  • ESXi

All operating systems supported by the Tanium Client

Remote authenticated scanning is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed. Although you can use remote authenticated scanning for endpoints that do support the Tanium Client, you should use client-based scanning in that case for performance reasons and to take advantage of the linear chain architecture.

* Some standards are still provided for older OS types that do not support the Tanium Client and therefore could be scanned using remote authenticated scanning, such as Windows XP.

The complete list of benchmarks Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/benchmarks.html

The complete list of CVEs Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/tvl.html

(Both lists are updated daily and should display newly added benchmarks and CVEs as they appear in Comply.)

See Configure a remote authenticated scan assessment for configuration details.

Host and network security requirements

Specific ports and processes are needed to run Comply.

Ports

The following ports are required for remote authenticated scanning.

SourceDestinationPort ProtocolPurpose

Satellite

Scan target endpoint22TCP Required for SSH for non-Windows endpoints
SatelliteScan target endpoint5985TCPRequired for Windows remote management

All other Comply port requirements are the same as Tanium Client port requirements. See Tanium Client: Network connectivity, ports, and firewalls.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Comply security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\comply-service\node.exe
 Process<Module Server>\services\comply-service\node_modules\ovalindex\build\bin\ovalindex.exe
 Process<Module Server>\services\comply-service\__new__\src\util\7z\7za.exe
 Process<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
 Windows endpoints Process<Tanium Client>\TaniumCX.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumComply.dll
 File<Tanium Client>\extensions\TaniumComply.dll.sig
 File<Tanium Client>\extensions\comply\data\comply.db
 File<Tanium Client>\extensions\comply\data\current-ciscat-config.json
 File<Tanium Client>\extensions\comply\data\current-intel-config.json
 File<Tanium Client>\extensions\comply\data\current-java-config.json
 File<Tanium Client>\extensions\comply\data\current-joval-config.json
 File<Tanium Client>\extensions\comply\data\current-scan-config.json
 File

<Tanium Client>\extensions\comply\downloads\download.db

 Process<Tanium Client>\extensions\comply\jre\bin\java.exe
 File<Tanium Client>\Tools\Comply\run-assessment.vbs
 File<Tanium Client>\Tools\Comply\delete-assessment.vbs
Linux/macOS/AIX endpoints  Process<Tanium Client>/TaniumCX
 File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumComply.so
 File<Tanium Client>/extensions/libTaniumComply.so.sig
 File<Tanium Client>/extensions/comply/data/comply.db
 File<Tanium Client>/extensions/comply/data/current-ciscat-config.json
 File<Tanium Client>/extensions/comply/data/current-intel-config.json
 File<Tanium Client>/extensions/comply/data/current-java-config.json
 File<Tanium Client>/extensions/comply/data/current-joval-config.json
 File<Tanium Client>/extensions/comply/data/current-scan-config.json
 File<Tanium Client>/extensions/comply/downloads/download.db
 Process<Tanium Client>/extensions/comply/jre/bin/java
 File<Tanium Client>/Tools/Comply/run-assessment.sh
 File<Tanium Client>/Tools/Comply/delete-assessment.sh
Tanium scan engine
- all supported endpoints
 File

<Tanium Client>/extensions/comply/engines/joval/Joval-Utilities.jar

CIS-CAT engine
-all supported endpoints
 File<Tanium Client>/extensions/comply/engines/ciscat/CISCAT.jar
CIS-CAT engine
- Linux endpoints only
 File<Tanium Client>/extensions/comply/engines/ciscat/CIS-CAT.sh
CIS-CAT engine
-Windows endpoints only
 File<Tanium Client>\extensions\comply\engines\ciscat\CIS-CAT.BAT
SCC engine
- Windows endpoints
 Process<Tanium Client>\extensions\comply\engines\scc\cscc.exe
Process<Tanium Client>\extensions\comply\engines\scc\cscc32.exe
Process<Tanium Client>\extensions\comply\engines\scc\cscc64.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc32.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc64.exe
SCC engine - Linux/macOS endpoints Process<Tanium Client>\extensions/comply/engines/scc/cscc
File<Tanium Client>\extensions/comply/engines/scc/cscc.bin
Process<Tanium Client>\extensions/comply/engines/scc/scc
File<Tanium Client>\extensions/comply/engines/scc/scc.bin
Comply security exclusions
Target DeviceNotesExclusion TypeExclusion
 Windows endpoints Process<Tanium Client>\TaniumCX.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumComply.dll
 File<Tanium Client>\extensions\TaniumComply.dll.sig
 File<Tanium Client>\extensions\comply\data\comply.db
 File<Tanium Client>\extensions\comply\data\current-ciscat-config.json
 File<Tanium Client>\extensions\comply\data\current-intel-config.json
 File<Tanium Client>\extensions\comply\data\current-java-config.json
 File<Tanium Client>\extensions\comply\data\current-joval-config.json
 File<Tanium Client>\extensions\comply\data\current-scan-config.json
 File

<Tanium Client>\extensions\comply\downloads\download.db

 Process<Tanium Client>\extensions\comply\jre\bin\java.exe
 File<Tanium Client>\Tools\Comply\run-assessment.vbs
 File<Tanium Client>\Tools\Comply\delete-assessment.vbs
Linux/macOS/AIX endpoints  Process<Tanium Client>/TaniumCX
 File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumComply.so
 File<Tanium Client>/extensions/libTaniumComply.so.sig
 File<Tanium Client>/extensions/comply/data/comply.db
 File<Tanium Client>/extensions/comply/data/current-ciscat-config.json
 File<Tanium Client>/extensions/comply/data/current-intel-config.json
 File<Tanium Client>/extensions/comply/data/current-java-config.json
 File<Tanium Client>/extensions/comply/data/current-joval-config.json
 File<Tanium Client>/extensions/comply/data/current-scan-config.json
 File<Tanium Client>/extensions/comply/downloads/download.db
 Process<Tanium Client>/extensions/comply/jre/bin/java
 File<Tanium Client>/Tools/Comply/run-assessment.sh
 File<Tanium Client>/Tools/Comply/delete-assessment.sh
Tanium scan engine
- all supported endpoints
 File

<Tanium Client>/extensions/comply/engines/joval/Joval-Utilities.jar

CIS-CAT engine
-all supported endpoints
 File<Tanium Client>/extensions/comply/engines/ciscat/CISCAT.jar
CIS-CAT engine
- Linux endpoints only
 File<Tanium Client>/extensions/comply/engines/ciscat/CIS-CAT.sh
CIS-CAT engine
-Windows endpoints only
 File<Tanium Client>\extensions\comply\engines\ciscat\CIS-CAT.BAT
SCC engine
- Windows endpoints
 Process<Tanium Client>\extensions\comply\engines\scc\cscc.exe
Process<Tanium Client>\extensions\comply\engines\scc\cscc32.exe
Process<Tanium Client>\extensions\comply\engines\scc\cscc64.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc32.exe
Process<Tanium Client>\extensions\comply\engines\scc\scc64.exe
SCC engine - Linux/macOS endpoints Process<Tanium Client>/extensions/comply/engines/scc/cscc
File<Tanium Client>/extensions/comply/engines/scc/cscc.bin
Process<Tanium Client>/extensions/comply/engines/scc/scc
File<Tanium Client>/extensions/comply/engines/scc/scc.bin

For remote vulnerability assessments, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

For best results, add a recursive security exclusion for the Tanium Client directory:

  • Windows endpoints: <Tanium Client>

    This path is usually C:\Program Files (x86)\Tanium\Tanium Client.

  • Linux endpoints: /opt/Tanium/TaniumClient

User role requirements

The following tables list the role permissions required to use Comply. To review a summary of the predefined roles, see Set up Comply users.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Comply user role permissions
Permission

Comply Administrator

1, 2,3,5,6

Comply Operator 1,2,3,5,6Comply Deployment Administrator 1,2,3Comply Report Content Administrator 1Comply Report Administrator 1, 2, 3Comply Report Reviewer 1,2Comply Custom Check Writer 3

Comply Service Account

1, 2,3
Comply RAS Assessment Creator 5, 6

Comply Endpoint Configuration Approver

3,4

Comply

View the Comply workbench



ADMIN
OPERATOR
SHOW



OPERATOR
SHOW



SHOW


SHOW


SHOW


SHOW


SHOW


ADMIN
OPERATOR
SHOW



SHOW

Comply Components

Manage all back-end components in Comply such as actions










MANAGE


Comply Custom Check

View and create custom checks



WRITE


WRITE






WRITE


WRITE


Comply Deployment

View and create targets and update Comply engines



READ
WRITE


READ
WRITE


READ
WRITE






READ
WRITE


Comply Report

View and create Comply reports and assessments



READ
WRITE


READ
WRITE




READ
WRITE


READ



READ
WRITE


READ
WRITE

Comply Report Content

View and manage Comply standards



READ
WRITE


READ
WRITE


READ
WRITE


READ
WRITE


READ


READ


READ


READ
WRITE


READ

Comply Credential

View and create credentials for RAS assessments



READ
WRITE


READ
WRITE




READ





READ

Comply RAS Assessment

View and create RAS assessments



READ
WRITE


READ
WRITE




READ
WRITE





READ
WRITE

Comply Endpoint Configuration Approve

Enables approver privileges in Tanium Endpoint Configuration for Comply changes












APPROVE

Interact Result Expansion Content

View and create expansions (internal purposes only)



READ
WRITE


READ
WRITE








1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

4If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

5 This role provides module permissions for Tanium Direct Connect. For more information, see Tanium Direct Connect User Guide: User role requirements.

6 This role provides module permissions for Tanium Discover. For more information, see Tanium Discover User Guide: User role requirements.

Provided Comply platform content user role permissions
PermissionsComply AdministratorComply OperatorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Service AccountComply Custom Check WriterComply RAS Assessment Creator
Action

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE


READ




READ
WRITE
Action For Saved Question

WRITE


WRITE




WRITE





WRITE
Own Action

READ


READ


READ



READ


READ




READ
Package

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE





READ
WRITE
Plugin

EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE
Saved Question

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE


READ




READ
WRITE
Sensor

READ


READ


READ



READ


READ




READ

You can view which content sets are granted to any role in the Tanium Console.