Working with standards and vulnerability sources

You must have the Comply Report Content Administrator role to read and write configuration compliance standards and vulnerability sources. For more information about Comply roles, see User role requirements.

Comply 2.4 and later includes several Tanium Certified standards. These standards have a Tanium certified label. You can use these standards only with the Tanium Scan Engine (powered by JovalCM).

If you want to use other standards or scan engines, you must import them. See Download and import the CIS engine and Download and import the SCC scan engine for instructions on how to import or upgrade standards in bulk.

The complete list of standards Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/benchmarks.html. This list is updated daily.

Configuration compliance standards

Importing individual standards and assigning categories

You can import standards in Comply that have the following file formats:

  • Split XCCDF format: XCCDF file, OVAL file, CPE, and CPE-dictionary
  • Single SCAP 1.2 datastream single file
  • Multiple ZIP files containing split XCCDF files (Make sure that all referenced files are included in the zip.)

    • Benchmarks can refer to scripts that reside in other files. Make sure all referenced files are included in the import.

Use categories and labels to group the standards. You can filter the list of standards on the Standards > Compliance page by category and label.

  1. On the Standards page, in the Compliance tab, click the Import button to import configuration compliance standards.
  2. Provide a Description for the standard.
  3. (Optional) Enter custom labels in the Labels field to describe the standard.
  4. Click Select Files and select the standard files.
  5. Click Import.




Filter standards

You can filter standards by category on the Standards page, in the Compliance tab by selecting a category from the Filter arrow and choosing from the Label drop-down list.

Change a Standards label

  1. On the Standards page Compliance tab, hover over a standard to show the Edit icon. Click this icon.

  2. In the Standard Metadata window, edit the Labels for the standard.
  3. Click Save.

Create a standard

  1. From the Comply Setup page, click Compliance.
  2. Click Create Custom Profile.
  3. In the Custom Profile window, enter a title and a description.
  4. Select a standard and click Create.

Delete a Standard

  1. From the Comply Setup menu, click Compliance.
  2. On the Custom Profiles tab, click Deletenext to the standard you want to delete.
  3. Click OK.

You cannot delete a compliance standard that is used in an assessment. You must delete the assessment first, and then you can delete the compliance standard.

Filtering standards

Use the Label Filter field at the top right of the Standards page, in the Compliance tab to filter the standards. Begin entering text to see a list of available labels or click the X next to an existing label to remove it from the list of filters.

Comply includes several Tanium Certified standards. These standards have a Tanium Certified icon. You can use these standards only with the Tanium Scan Engine (powered by JovalCM).

Standards with a Verified label were tested and confirmed to work with Comply. Only verified standards display by default. Standards with an Unverified label were not tested with Comply. This label does not mean that the standard does not work with Comply. Standards with an Unsupported label do not work with Comply.

Viewing configuration compliance standard profiles and creating assessments

  1. On the Standards page, in the Compliance tab , click Expand to see the details of a configuration compliance standard.
  2. In the Profiles section, hover over a profile and click the Create Assessment button next to a standard profile to create an assessment for that profile.

    Click the Create Assessment button at the top to create an assessment for the first profile listed.

    The Create Configuration Compliance Assessment page opens. For the steps to create a configuration compliance report, see Create a configuration compliance assessment.

Vulnerability sources

In the Comply menu, click Standards and select the Vulnerability tab to open the Vulnerability Standards page.

Default vulnerability sources

Expand Tanium Vulnerability Library to see the vulnerability sources provided by Comply:

  • Tanium Vulnerability Library for Unix
  • Tanium Vulnerability Library for macOS
  • Tanium Vulnerability Library for Windows

  • Tanium Vulnerability Library for Unmanaged

The complete list of CVEs Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/tvl.html. This list is updated daily.

Not all CVEs listed in the Tanium Vulnerability Library can be detected using Comply assessments.

Expand default vulnerability sources to view details, create a report, update them, or edit them. Click on the number of CVEs to see the full list of CVEs included in a standard. You can search the CVE list by using Filter by Name field. When CVEs are found, you can further filter that list by clicking Filters and using the available filter categories.

Tanium maintains the Tanium Vulnerability Library daily. The new version of the Tanium Vulnerability Library is available for download by clicking Update Source in the Tanium Vulnerability Library section on the Vulnerability Standards page.

The Tanium Vulnerability Library is downloaded from https://content.tanium.com/files/published/tvl/vuln.db.cgz

By default, the Tanium Vulnerability Library is automatically updated daily. To change this schedule, click Edit Source .

Keep the default schedule that updates the Tanium Vulnerability Library daily.

Comply checks approximately every 60 minutes to compare scheduled vulnerability reports against the most recent version of the Tanium Vulnerability Library. The report rebuilds if new definitions are available for any of the specified Vulnerability Content (Range of CVEs, CVSS Score, or Individual CVEs) and a report is scheduled to run.

Search for CVEs

Enter one or more CVEs in the Search all sources for CVEs field at the top of the Vulnerability page and click Search for CVEs. You can use a search to scan all vulnerability sources to identify which sources contain the specified CVEs.

Upload the vulnerability source file for air-gapped environments

If you are working in an air-gapped environment, you must configure that setting in Comply and then upload the air gap ZIP file. For the steps to configure Comply for an air-gapped environment, see Configure Comply for an air-gapped environment.

  1. After you specify that you are working in an air-gapped environment (set is_airgapped to True on the Settings page) click the Vulnerability tab on the Standards page to open the Vulnerability Standards page.
  2. Click Upload Airgap Zip.
  3. Download the air gap ZIP file from the link indicated in the Upload Tanium Standards Library Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-Standards-Airgap-v1.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the air gap ZIP file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close on the upload window. Allow approximately five minutes for Comply to update the vulnerability standards. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the standards are successfully updated from the uploaded air gap ZIP file.

Create a new vulnerability source

  1. From the Comply menu, click Standards.
  2. On the Vulnerability tab click the Create Source button.
  3. In the Details section, provide a Name, Vendor, and Description.
  4. To schedule automatic updates, select Recurring.
  5. In the OVAL Definitions section, choose either Remote or Import for the Definition Type.
    6. A remote source is a URL that points to an OVAL definition XML file and can be updated by clicking Update next to the standard on the Vulnerability Standards page.

    Remote sources are best suited when OVAL content is updated periodically. Uploaded sources are best suited to air-gapped environments or when you would like to manually download and provide the source feed.

    You can follow the instructions found here: https://github.com/CISecurity/OVALRepo to generate an OVAL definition file from CIS that provides access to all vulnerability definitions.
  6. Enter the path for the Remote or Select file for Import as appropriate.
  7. Click Create.

Edit or delete a vulnerability source

On the Vulnerability Standards page, click Edit to edit a vulnerability source or Delete to delete a vulnerability source.

Perform a vulnerability scan and create an assessment

  1. Click Expand to see the details of a vulnerability standard and view information about the associated XML file and operating systems. Click Create Assessment to create a new vulnerability assessment.
  2. Click Create and Deploy to run the vulnerability scan.