Beginner’s guide to Comply
Welcome to the Beginner’s guide to Comply! As a new user, you'll need to perform some initial installation and configuration tasks, and then we'll show you how to use the core features of Comply.
Step 1: Install and configure Comply
Use the main documentation to install and configure Comply. If you already completed these steps, proceed to step 2.
- Install Puppet Application Manager (PAM)
- Set up Comply
Step 2: Set desired compliance
Desired compliance is the benchmark and profile that you to assign to a particular node. It is what is scanned on that node by default. Most of the time, you only need to set this once for your nodes.
Based on fact information from PE, Comply automatically assigns an appropriate benchmark for each operating system, along with a Level 1 profile, to nodes that have not been set. Accepting this option is the quickest way to get up and running with desired compliance.
Alternatively, you can manually choose your own benchmark and profiles. For more information, see Manually set desired compliance.
Step 3: Run a CIS scan
You are now ready to run a scan.
- In Comply, click Scans, and then Run an ad hoc scan.
In the Benchmark drop-down menu, select
Desired compliance or a benchmark and profile of
If you have not set desired compliance, follow the instructions in Setting desired compliance.
- Next, select an option from the Profile drop-down menu. To use a custom profile for this scan, select the Use an associated custom profile? option and choose the relevant option from the Custom profile drop-down menu.
- Click Next to review the PE credentials and environment you want the scan to run on.
Click Next to see the nodes selected for scanning.
To scan only a subset of nodes, deselect any nodes that you want to exclude.Debug mode: By default, assessor logs are set to WARN level. To troubleshoot an issue, you can set the logging level to DEBUG for the scan by clicking Run in debug mode. The assessor logs can then be retrieved from the individual node.
On Linux and macOS platforms the assessor log is located at:
On Windows the assessor log is located at:
Note that scanning in debug mode increases the size of the assessor log file significantly.
Click Scan. To confirm, click
You are taken to the Activity feed, which lists each scan. Scans are run as a task in PE. To see the details of the job, click the job ID to be taken to PE.Tip: You can also run a scan by clicking the Scan nodes button at the top right corner on several pages. This option uses the nodes listed on the page you are currently viewing.
Optionally, to review the results of your scan, navigate to the
Compliance Dashboard page.
See Scan results for a description of the scan data.