Sicura Agent
  1. Introduction
  2. Installation
  3. Upgrade
  4. Commands
  5. Configuration

Using Sicura Agent

The Sicura Agent can be executed from the command line with sicura-agent followed by sub-command. For a full list of sub-commands and their functions, run sicura-agent help.

run

Jobs can be run immediately or scheduled for specific times from the Sicura Console UI. From the command line, sicura-agent run will launch the Sicura Agent into a “waiting mode”. The Agent will then open connections against each collector, waiting for a job to be requested.

install

To add the Sicura Agent as a service to your host OS, run sicura-agent install Note: On Windows systems the service will be automatically installed.

Service managers we support:

remove

To remove the service for the Sicura Agent, run sicura-agent remove

start

The Sicura Agent runs as a daemon/service. To start the service, run sicura-agent start. The Sicura Agent will then run a sicura-agent run process in the background.

stop

To stop the service for the Sicura Agent, run sicura-agent stop

status

To check the current status of the Sicura Agent service, run sicura-agent status

list

info

Running sicura-agent info will dump all system information being used by the Sicura Agent.

INFO[0000] os.release.major: 7                      
INFO[0000] scap_filename:                               
INFO[0000] platform: cpe:/o:centos:7 
INFO[0000] cpe_list: {[cpe:/o:centos:7]} 
INFO[0000] os.family: centos                            
INFO[0000] os.release.full: 7                       
INFO[0000] fqdn: computer-hostname                     
INFO[0000] kernel: linux                                
INFO[0000] os.name: centos                              
INFO[0000] sicura-agent.statedir: /var/db/sicura/agent/state 
INFO[0000] sicura-agent.default_scap_scanner: OpenSCAP  

Note: Your output will vary from this example depending on your system.

~~register~~ DEPRECATED

Running sicura-agent register will walk you through an interactive registration process that gets your system to a scannable/enforcable state and connected to an instance of Sicura Console.

An example of the registration process is as follows:

? Enter the name this node will appear on the console as (default: FQDN) node.name
? Enter a URL for your collector https://my-sicura-console:6468
? Enter the registration token for your collector XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
? Select abilities this node can use:  [Use arrows to move, space to select, type to filter]
> [x]  OpenSCAP -- Perform vulnerability assessment for Linux using the open source OpenSCAP tool.
  [ ]  jScat -- Perform vulnerability assessment for Windows using the jScat tool.
  [ ]  CIS-Cat -- Perform CIS assessment using proprietary CIS-Cat Assessor.
  [ ]  SCE Reporting -- Submit compliance reports generated by Sicura Compliance Engine to Sicura Console.
  [x]  Enforce Compliance -- Accept compliance enforcement from Sicura Console.

This will register the node of the Sicura Console running at https://my-sicura-console:6468 to use the assessors OpenSCAP and CIS-Cat.

If at any point you need to change any of the information set during registration, you can edit your collector config.

Running sicura-agent list will search all content locations defined in your config and all benchmark files then display the profiles that can be used for scanning.

INFO[0000] Parsing benchmarks...                           
INFO[0002] /var/db/sicura/agent/state/benchmarks/scap/(stig or cis)/Sicura_Default_Content-Example.xml 
INFO[0002]       disa-stig_example_profile_name 
INFO[0002]       xccdf_org.cisecurity.benchmarks_profile_Level_2 
INFO[0002] /home/myUsername/benchmarks/MyCustomBenchmarks.xml 
INFO[0002]       disa-stig_example_profile_name
INFO[0002]       nist_800_53_example_profile_name

~~scan~~ DEPRECATED

The four flags for sicura-agent scan are -A, -b, -p and -node.

To perform a scan on your local system, run sicura-agent scan -A API Version -b file.xml -p profile .

Note: If no benchmark or profile are specified the agent will prompt for a selection from the sicura-agent list results.

Note: If you have a benchmark located somewhere sicura-agent list does NOT already know about, you must specify the absolute path._

Example:

 sicura-agent scan -b /home/myUsername/benchmarks/MyCustomBenchmarks.xml -p disa-stig_example_profile_name

~~fetch~~ DEPRECATED

To connect to each of the Sicura Console collectors (see sicura-agent.yaml section for details) and download new/updated content, run sicura-agent fetch.

INFO[0000] [1] Registering collector on http://192.168.0.100:6468/collector/default 
INFO[0000] Fetching Benchmark: scap/cis/Sicura_Default_Content-Example-CIS.xml 
INFO[0000] Fetching Benchmark: scap/stig/Sicura_Default_Content-Example-STIG.xml 
INFO[0000] [1] Benchmarks are up to date