The Sicura Agent can be executed from the command line with sicura-agent followed by sub-command. For a full list of sub-commands and their functions, run sicura-agent help.
runJobs can be run immediately or scheduled for specific times from the Sicura Console UI. From the command line, sicura-agent run will launch the Sicura Agent into a “waiting mode”. The Agent will then open connections against each collector, waiting for a job to be requested.
listRunning sicura-agent list will search all content locations defined in your config and all benchmark files then display the profiles that can be used for scanning.
INFO[0000] Parsing benchmarks...
INFO[0002] /var/db/sicura/agent/state/benchmarks/scap/(stig or cis)/Sicura_Default_Content-Example.xml
INFO[0002] disa-stig_example_profile_name
INFO[0002] xccdf_org.cisecurity.benchmarks_profile_Level_2
INFO[0002] /home/myUsername/benchmarks/MyCustomBenchmarks.xml
INFO[0002] disa-stig_example_profile_name
INFO[0002] nist_800_53_example_profile_name
infoRunning sicura-agent info will dump all system information being used by the Sicura Agent.
INFO[0000] os.release.major: 7
INFO[0000] scap_filename:
INFO[0000] platform: cpe:/o:centos:7
INFO[0000] cpe_list: {[cpe:/o:centos:7]}
INFO[0000] os.family: centos
INFO[0000] os.release.full: 7
INFO[0000] fqdn: computer-hostname
INFO[0000] kernel: linux
INFO[0000] os.name: centos
INFO[0000] sicura-agent.statedir: /var/db/sicura/agent/state
INFO[0000] sicura-agent.default_scap_scanner: OpenSCAP
Note: Your output will vary from this example depending on your system.
~~register~~ DEPRECATEDRunning sicura-agent register will walk you through an interactive registration process that gets your system to a scannable/enforcable state and connected to an instance of Sicura Console.
An example of the registration process is as follows:
? Enter the name this node will appear on the console as (default: FQDN) node.name
? Enter a URL for your collector https://my-sicura-console:6468
? Enter the registration token for your collector XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
? Select abilities this node can use: [Use arrows to move, space to select, type to filter]
> [x] OpenSCAP -- Perform vulnerability assessment for Linux using the open source OpenSCAP tool.
[ ] jScat -- Perform vulnerability assessment for Windows using the jScat tool.
[ ] CIS-Cat -- Perform CIS assessment using proprietary CIS-Cat Assessor.
[ ] SCE Reporting -- Submit compliance reports generated by Sicura Compliance Engine to Sicura Console.
[x] Enforce Compliance -- Accept compliance enforcement from Sicura Console.
This will register the node of the Sicura Console running at https://my-sicura-console:6468 to use the assessors OpenSCAP and CIS-Cat.
If at any point you need to change any of the information set during registration, you can edit your collector config.
~~scan~~ DEPRECATEDThe four flags for sicura-agent scan are -A, -b, -p and -node.
Set profile to be used for scanning.
Specify the FQDN of the singular node you would like to run a compliance engine scan against.
To perform a scan on your local system, run sicura-agent scan -A API Version -b file.xml -p profile .
Note: If no benchmark or profile are specified the agent will prompt for a selection from the sicura-agent list results.
Note: If you have a benchmark located somewhere sicura-agent list does NOT already know about, you must specify the absolute path._
Example:
sicura-agent scan -b /home/myUsername/benchmarks/MyCustomBenchmarks.xml -p disa-stig_example_profile_name
~~fetch~~ DEPRECATEDTo connect to each of the Sicura Console collectors (see sicura-agent.yaml section for details) and download new/updated content, run sicura-agent fetch.
INFO[0000] [1] Registering collector on http://192.168.0.100:6468/collector/default
INFO[0000] Fetching Benchmark: scap/cis/Sicura_Default_Content-Example-CIS.xml
INFO[0000] Fetching Benchmark: scap/stig/Sicura_Default_Content-Example-STIG.xml
INFO[0000] [1] Benchmarks are up to date
Sicura
© copyright 2022