Sicura Agent
  1. Introduction
  2. Installation
  3. Upgrade
  4. Commands
  5. Configuration

The Sicura Agent Configuration File

Once your copy of Sicura Agent has been installed certain options can be set inside the sicura-agent.yaml file.

NOTE: This file is not generated during install time and requires you run the sicura-agent at least once to be generated.

The config file can be found here:

Linux: /etc/sicura/sicura-agent.yaml

Windows: C:\Program Files\Sicura\Sicura Agent\sicura-agent.yaml

The Sicura Agent config file has four sections. Each section has a set of options which, by default, are disabled (commented out). To enable an option, remove the comment # and enter in the relavent information for that option.


NOTE: Options within this section control the agent’s functionality system-wide.


By selecting log-level you will be able to control what information is output by the agent to stdout and stderr. The levels can be lowered or raised seven values for troubleshooting: trace, debug, info, warn, error, fatal, and panic. The default is info.


This true/false option allows you to choose if you want output from the scanner to go to a file in addition to the terminal’s stdout/stderr. This is ideal for archiving situations. The default destination for this file is STATE_DIRECTORY/sicura-agent.log


This is a custom-defined path where the log file will be saved. This will allow you to override the default log location.


The Sicura Agent will error and fail when trying to pull Sicura_Default_Content*** from the console if you are using an unsupported platform. If force_scan is set to true, this error will become a warning and continue running.

NOTE: Use this option at your own risk! Using an unsupported platform may cause undesired results for both the agent and the console.


When using sicura-agent run or running the Sicura Agent as a service, the process will occasionally reconnect to its collector(s). The collector-request-interval option allows you to adjust the wait period between connections. The default is set to 30 seconds.


In some cases when doing CIS scans, a result-set may come back with all ‘Not Applicable’. If this is the case, this option can be set true to attempt a CPE agnostic scan.


Defines the information needed for the Agent to make a connection to connect to the Sicura Console.


(true) whether a secure protocol should be used when accessing the console collector.


The hostname that connections should be made to. Overrides the default of the sicura-console-collector well known DNS entry.


(6468) The port on which the Sicura Console is running and accepting connections.


Any output from the Agent is considered a “Report”. By default, reports are sent to the Sicura Console collector for further evaluation and displayed in the Console UI. If desired, they can be kept on the local system.


save-reports This true/false setting will allow you to save the reports for each job. If true, reports save to STATE_DIRECTORY/reports by default. report-path Allows you to override the default path for reports.


This section outlines the various collectors registered to the Sicura Agent. Collectors are defined in a list within the file and each collector has its own set of sub-options. These sub-options are collector, url, registration_token, abilities, and node-name.

Collector entries can be added manually or automatically appended using the sicura-agent register command.

An example collector configuration could look like this:

    url: https://my-sicura-console:6468/collector/default
    registration_token: XXXXXXXXXXXXXXXXXXXXXXX 
    node-name: ""

Currently, all collectors use the name default, therefore expect each collector registered to start with ‘default’ before defining their own options.

The types of abilities supported are:

When sicura-agent executes a command, it runs it against every collector defined. For example, if you have three registered collectors, sicura-agent fetch will call out to each of them to fetch content.


The following options allow for configuration specific to the ability type in use (OpenSCAP/CIS-CAT/jScat/etc)


Note: Use these options as a catch-all in case no other options are specified elsewhere (best used with the “Scan Now” button)

CIS-Cat Assessor Pro