Comply requirements

Review the requirements before you install and use Comply.

Tanium dependencies

ComponentRequirement
Tanium Core Platform

7.3.314.4250 or later

Tanium™ ClientAny supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium solutions

If you selected Tanium Recommended Installation when you installed Comply, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the Tanium solutions that Comply requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Tanium solutions at the following minimum versions are required:

  • Tanium Connect 4.10.5 or later

    (To customize columns for exports, you must have Connect 5.8.49 or later)
  • Tanium Discover 3.0 or later required for remote vulnerability reports

  • Tanium Endpoint Configuration 1.2 or later

  • Endpoint Configuration is installed as part of Tanium Client Management 1.7 or later.

  • Tanium Interact 2.7.210 or later

  • Tanium Platform Services 1.3 or later

  • Tanium Trends 3.6 or later

Computer groups (Tanium Core Platform 7.4.2 or later only) When you first sign in to the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Comply requires:
  • All Computers
  • All Windows 10
  • All Windows Server 2012 R2
  • All Windows Server 2016
  • All Windows Server 2019
  • All Red Hat 7
  • All Red Hat 8
  • All Ubuntu 18
  • All Ubuntu 19
  • All Ubuntu 20
  • All CentOS 7
  • All CentOS 8
  • All macOS 10.14
  • All macOS 10.15
  • All macOS 11.1

Endpoints

Supported operating systems

Tanium Client operating system support for Comply is the same as Tanium Client support (see Tanium Client Management User Guide: Client version and host system requirements) with the following exceptions.

Operating SystemVersion
Windows
  • Windows 7 SP1 or later

  • Windows Server 2008 R2 SP1 or later

AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploying the Tanium Client to AIX endpoints using a package file.

The Tanium Scan Engine (TSE) is required for compliance assessments that leverage Tanium Certified standards.

Disk space requirements

Endpoints must have at least 200 megabytes (MB) available in free disk space.

Scan engines

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 11.x is provided for use with supported Windows endpoints. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Operating systemOperating system versionSupported JRE distributions and versionsCan deploy using Comply?
Microsoft Windows ServerMicrosoft Windows Server 2008 and 2008 R2
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows Server 2012 and 2012 R2
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows Server 2016 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows WorkstationMicrosoft Windows 7 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
macOSOS X 10.11 El Capitan and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
LinuxAmazon Linux 1 AMI (2016.09, 2018.03)
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Amazon Linux 2 LTS
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Debian 6.x, 7.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
Debian 8.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Oracle Linux 5.x and laterJava version 7 or 8 (preferred) distributions provided by OracleYes63
Red Hat Enterprise Linux (RHEL) 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
Red Hat Enterprise Linux (RHEL) 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
CentOS 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
CentOS 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes

SUSE Linux Enterprise Server (SLES) 11.x

  • JRE provided with Comply
  • Java version 7 or 8 distributions provided by Oracle
Yes63

openSUSE 11.x

  • JRE provided with Comply
  • Java version 7 or 8 distributions provided by Oracle
Yes63
SUSE Linux Enterprise Server (SLES) 12.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
openSUSE 12.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Ubuntu 12.04 - 13.xJava version 7 or 8 distributions provided by OracleYes63
Ubuntu 14.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
AIX1IBM AIX 7.1 TL1SP10 and later2IBM JRE version 7.x or 8 (preferred)Yes3
OpenJDK JRE version 7 or 8 with the HotSpot JVMYes4
IBM AIX 7.2IBM JRE version 7.x or 8 (preferred)Yes3
OpenJDK JRE version 7 or 8 with the HotSpot JVM Yes4
Solaris52Oracle Solaris 10 SPARCOracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 10 x8621Oracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 11 SPARCOracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 11 x8621Oracle JRE 7 or 8 (preferred)Yes63

1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.

2164-bit only.

3Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX endpoints.

4Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release.

52The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.

63Only version 8 is supported for deployment through Comply.

Amazon Coretto Java Runtime Environment (JRE) version 11.x is provided for use with supported Windows endpoints.

For more information, see Working with scan engines and JREs.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Comply.

Ports

The following ports are required for Comply communication.

SourceDestinationPort ProtocolPurpose
Module ServerModule Server (loopback)17453TCPInternal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, a security administrator must create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Comply security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\comply-service\node.exe
 Process<Module Server>\services\comply-service\node_modules\ovalindex\build\bin\ovalindex.exe
Windows endpoints Process<Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
Environments where Java encryption is disabledProcess<Tanium Client>\Tools\Comply\jre\bin\java.exe
Environments where Java encryption is enabledProcess<Tanium Client>\Downloads\Action_*\jre\bin\java.exe
 Process<Tanium Client>\Tools\Comply\7za.exe
Linux/macOS/AIX endpoints  Process<Tanium Client>/Tools/Comply/TaniumExecWrapper
Environments where Java encryption is disabledProcess<Tanium Client>/Tools/Comply/jre/bin/java
Environments where Java encryption is enabledProcess<Tanium Client>/Downloads/Action_*/jre/bin/java
 Process<Tanium Client>/Tools/Comply/7za
 Process<Tanium Client>/Tools/Comply/xsltproc
Tanium scan engine Process<Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine Process<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
Linux onlyProcess<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh
Windows onlyProcess<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT
SCC engine - Windows endpoints Process<Tanium Client>\Tools\Comply\scc\cscc.exe
 Process<Tanium Client>\Tools\Comply\scc\cscc32.exe
 Process<Tanium Client>\Tools\Comply\scc\cscc64.exe
 Process<Tanium Client>\Tools\Comply\scc\scc.exe
 Process<Tanium Client>\Tools\Comply\scc\scc32.exe
 Process<Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints Process<Tanium Client>/Tools/Comply/scc/cscc
 Process<Tanium Client>/Tools/Comply/scc/cscc.bin
 Process<Tanium Client>/Tools/Comply/scc/scc
 Process<Tanium Client>/Tools/Comply/scc/scc.bin
Comply security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows endpoints Process<Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
Environments where Java encryption is disabledProcess<Tanium Client>\Tools\Comply\jre\bin\java.exe
Environments where Java encryption is enabledProcess<Tanium Client>\Downloads\Action_*\jre\bin\java.exe
 Process<Tanium Client>\Tools\Comply\7za.exe
Linux/macOS endpoints  Process<Tanium Client>/Tools/Comply/TaniumExecWrapper
Environments where Java encryption is disabledProcess<Tanium Client>/Tools/Comply/jre/bin/java
Environments where Java encryption is enabledProcess<Tanium Client>/Downloads/Action_*/jre/bin/java
 Process<Tanium Client>/Tools/Comply/7za
 Process<Tanium Client>/Tools/Comply/xsltproc
Tanium Scan Engine Process<Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
 Process<Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine Process<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
Linux onlyProcess<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh
Windows onlyProcess<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT
SCC engine - Windows endpoints Process<Tanium Client>\Tools\Comply\scc\cscc.exe
 Process<Tanium Client>\Tools\Comply\scc\cscc32.exe
 Process<Tanium Client>\Tools\Comply\scc\cscc64.exe
 Process<Tanium Client>\Tools\Comply\scc\scc.exe
 Process<Tanium Client>\Tools\Comply\scc\scc32.exe
 Process<Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints Process<Tanium Client>/Tools/Comply/scc/cscc
 Process<Tanium Client>/Tools/Comply/scc/cscc.bin
 Process<Tanium Client>/Tools/Comply/scc/scc
 Process<Tanium Client>/Tools/Comply/scc/scc.bin

For remote vulnerability assessments, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

For best results, add a recursive security exclusion for the Tanium Client directory:

  • Windows endpoints: <Tanium Client>

    This path is usually C:\Program Files (x86)\Tanium\Tanium Client.

  • Linux endpoints: /opt/Tanium/TaniumClient

If a recursive exclusion is not possible, ensure that your exclusion for the TaniumExecWrapper process includes child processes. The path to this process is listed for each operating system in the preceding table. Some engines use child processes to run scans, and those child processes must be allowed for Comply to function.

User role requirements

The following tables list the role permissions required to use Comply. To review a summary of the predefined roles, see Set up Comply users.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Comply user role permissions
Permission

Comply Administrator

1, 2,3

Comply Operator 1,2,3Comply Deployment Administrator 1,2,3Comply Report Content Administrator 1Comply Report Administrator 1, 2, 3Comply Report Reviewer 1,2Comply Custom Check Writer 3

Comply Service Account

1, 2,3

Comply Endpoint Configuration Approver 3,4

Comply

View the Comply workbench



ADMIN
OPERATOR
SHOW



OPERATOR
SHOW



SHOW


SHOW


SHOW


SHOW


SHOW


ADMIN
OPERATOR
SHOW


Comply Components

Manage all back-end components in Comply such as actions










MANAGE

Comply Custom Check

View and create custom checks



WRITE


WRITE






WRITE


WRITE

Comply Deployment

View and create targets and update Comply engines



READ
WRITE


READ
WRITE


READ
WRITE






READ
WRITE

Comply Report

View and create Comply reports and assessments



READ
WRITE


READ
WRITE




READ
WRITE


READ



READ
WRITE

Comply Report Content

View and manage Comply standards



READ
WRITE


READ
WRITE


READ
WRITE


READ
WRITE


READ


READ


READ


READ
WRITE

Comply Endpoint Configuration Approve

Enables approver privileges in Tanium Endpoint Configuration for Comply changes











APPROVE

Interact Result Expansion Content

View and create expansions (internal purposes only)



READ
WRITE


READ
WRITE







1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

4If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Comply platform content user role permissions
PermissionsComply AdministratorComply OperatorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Service AccountComply Custom Check Writer
Action

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE


READ


Action For Saved Question

WRITE


WRITE




WRITE



Own Action

READ


READ


READ



READ


READ


Package

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE



Plugin

EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE


EXECUTE
Saved Question

READ
WRITE


READ
WRITE


READ
WRITE



READ
WRITE


READ


Sensor

READ


READ


READ



READ


READ


You can view which content sets are granted to any role in the Tanium Console.