Sicura Console
  1. Introduction
  2. Installation
  3. RPM Installation
  4. Container Installation
  5. Upgrades
  6. Running Sicura Console
  7. Configuration - Accounts
  8. Configuration - Database
  9. Configuration - Collector
  10. Configuration - Security
  11. Configuration - Plugins
  12. Sidebar - Administration
  13. Sidebar - Infrastructure
  14. Sidebar - Reports
  15. Commands
  16. Known Issues
  17. How To - Enforce compliance
  18. How To - Compliance profile tailoring and customization

Automatic compliance enforcement is one of the industry leading features the Sicura Console offers. Getting set up for enforcement is easy and can be accomplished in a few steps.

Step 1: Install the Agent

Assuming you have a fresh Console and a node you wish to enforce compliance on, first go to the Infrastructure > Client Installation page via the sidebar navigation.

Step 2: Start the Agent

The Sicura Agent can be started either in the foreground or in the background.

Step 3: Run a scan

From the Console UI, trigger a scan either by clicking the Scan Now button or run sicura-agent scan from the command line.

Verify that the scan completes with no errors and successfully submits its results to the console.

Step 4: Fix a a rule

A single rule can be fixed by selecting the rule name in the results. This will open the Scan Drawer

Navigate to the Remediation tab, and click the Remediate button.

Once the changes are loaded, review what actions will be performed on the system.

If all looks as to be expected, check the Trigger scan after changes are applied checkbox if desired and click Apply Changes.

Step 5: Fix multiple rules

Multiple rules can be fixed by using the checkboxes next to each rule displayed in the Scan Results tab on the Nodes page.

After selecting the all of the rules you wish to apply, an alert will appear on the bottom noting how many rules will be applied.

Clicking Remediate the selected checks will bring up the same review window as mentioned in Step 3.

Step 6: Fixing multiple nodes

Remediation across multiple nodes works identically to that of a single node. In order to begin, navigate through the node tree to the folder containing the nodes for remediation.

Next, select the appropriate platform and profile you wish to remediate against. For example, a STIG profile on Red Hat 7:

Select the check (or multiple checks) and remediate as you would a single node.

The changes can be previewed individually by clicking the node’s name on the side of the preview window. Once the changes have been previewed, check beside the nodes you’d like to take action on.

Click Apply Changes.

Checks to avoid

Currently there are a few checks that cannot be enforced using the Sicura Console enforcement methods and must be handled using a proper Puppet infrastructure running a full Sicura environment.

Checking any of these may result in the failure of the entire enforcement job.

Be sure when selecting multiple rules to not include the following:

DISA STIG

### Red Hat Enterprise Linux 7 - The RHEL operating system must use a separate file system for /tmp (or equivalent).

- The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.
 
- Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
 
- The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
 
- The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.   ### Red Hat Enterprise Linux 8
- RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.

### Oracle Linux 7 - Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

- The Oracle Linux operating system must implement certificate status checking for PKI authentication.
 
- The Oracle Linux operating system must use a separate file system for `/tmp` (or equivalent).
 
- The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

CIS

### Red Hat Enterprise Linux 7 / Oracle Linux 7 / CentOS 7 - Ensure sudo commands use pty

- Ensure `rsyslog` is configured to send logs to a remote log host
  
- Ensure permissions on SSH private host key files are configured

### Red Hat Enterprise Linux 8 / Oracle Linux 8 / CentOS 8 - Ensure sudo commands use pty

- Ensure rsyslog is configured to send logs to a remote log host

- Ensure bootloader password is set
 
- Ensure iptables service is not enabled with firewalld

- Ensure iptables default deny firewall policy

- Ensure iptables loopback traffic is configured

- Ensure iptables firewall rules exist for all open ports

- Ensure iptables is enabled and active

- Ensure iptables are flushed with nftables

- Ensure iptables default deny firewall policy

- Ensure iptables loopback traffic is configured

- Ensure iptables outbound and established connections are configured

- Ensure iptables firewall rules exist for all open ports

- Ensure iptables is enabled and active

- Ensure ip6tables default deny firewall policy

- Ensure ip6tables loopback traffic is configured

- Ensure ip6tables outbound and established connections are configured

- Ensure ip6tables firewall rules exist for all open ports

- Ensure ip6tables is enabled and active

- Ensure an nftables table exists

- Ensure nftables base chains exist

- Ensure nftables loopback traffic is configured

- Ensure nftables outbound and established connections are configured

- Ensure nftables default deny firewall policy

- Ensure nftables service is enabled

- Ensure nftables rules are permanent