Sicura Console
  1. Introduction
  2. Installation
  3. RPM Installation
  4. Container Installation
  5. Upgrades
  6. Running Sicura Console
  7. Configuration - Accounts
  8. Configuration - Database
  9. Configuration - Collector
  10. Configuration - Security
  11. Configuration - Plugins
  12. Configuration - Experimental
  13. Sidebar - Administration
  14. Sidebar - Infrastructure
  15. Sidebar - Profiles
  16. Sidebar - Reports
  17. Sidebar - Scheduling
  18. Commands
  19. Known Issues
  20. How To - Enforce compliance
  21. How To - Enforce custom profiles
  22. How To - Use the API

Sidebar - Infrastructure

Management Page

The Management page is where admin users can accept or reject incoming nodes, access the Agent installation drawer, and create automation rules to automatically accept or reject nodes.

Accepting/Rejecting Nodes

When you install and get the Agent running for the first time, your node will initially be found in the Management page. You can accept or reject the node using the ‘Accept’ or ‘Reject’ buttons on that node’s row.

If the Management page has multiple nodes you would like to accept or reject, you can either use the checkbox at the top to select all of the nodes or select specific nodes you would like to accept or reject, then use the ‘Accept’ or ‘Reject’ buttons above the table.

Rejected Nodes

When the rejected button is clicked on one or more nodes, it will be send to the rejected nodes table. This full list of rejected nodes can be found by clicking the “Rejected Nodes” tab.

In the case you want to bring a node back into the “Pending Nodes” table, simply click restore. Once the agent has reconnected, it will appear on the pending list and allow for acceptance into the infrastructure.

Agent Downloads

Inside the Agent Downloads drawer, you can find the Windows executable and Linux RPM for installation. The yum repository and instructions for installation can also be found in this drawer.

Automation Rules

Inside the Automation Rules drawer, you can create different rules in which nodes can be automatically accepted or rejected depending on whether or not they match those custom rules.

Nodes Page

Nodes Tree

The nodes tree allows you to organize your infrastructure any way you like. Each system that has been registered to the console appears here as a node.

The tree can be collapsed by clicking the arrow tab or resized by clicking the resize bar on the right side.

There are two types of nodes that can exist inside the node tree: endpoint and folder.



Nodes (folders only)

The Nodes tab provides an overview of all nodes contained inside. The node name, IP address for that node, and last update date can be seen from this datatable.

Scan Results

The Scan Results tab is used to view the SCAP results from the Sicura Agent.

For folders, the Status column in the datatable will show how many nodes contained within are passing, failing, not-applicable, etc.

Based on Enforcement Tolerance set within the Settings tab. Different rules can be remediated on some systems where others may not.

This is represented by the number displayed below the remediation checkbox

The scan details show an overview of pass/fail status across all the checks from the scan. The scan details also provide filtering options so you can view results by specifying what you want to see.

The datatable provides a list of each check that was evaluated during the scan.

Scan Drawer

After clicking a specific rule, this drawer opens to provide more information. The drawer has two sections:


 Under this section you'll find:

  - The description provides details on the check's purpose and how it can be fixed manually.

  - The XCCDF ID for easy identification.

  - A list of controls this rule affects.


 Under this section you'll find:

   - The **Remediate** button (if enabled in the config and user accessing has the role feature enabled) which can be used to automatically fix the finding on the specified node.

   - The relevant Puppet Hiera data which can be easily copied and pasted into your infrastructure code for continuous enforcement.

Scan History

The Scan History tab provides a quick way to view the past scans done on a node (or nested nodes in the case of a folder). It provides the date/time of scan and submission, which node the scan ran on, how many rules were checked in the scan, what compliance profile the scan was done against, and the collector it was submitted to.


The Permissions tab is used (generally by administrators) to setup what roles different users and groups can have on any given node. The datatable shows the list of all permissions set. By default there is one permission that gives the group Administrators the role of Admin over all nodes and their subsequent children.

By clicking Add Permission, you’ll be able to add additional Users/Groups to roles for this node. These permissions will be inherited down the tree.

NOTE: Your current session needs to have ‘UPDATE’ privileges in order to assign new permissions. Otherwise you’ll only be able to view them.


Properties displays metadata for the specific node selected. Depending on its type, you’ll have more or less information.




Settings contains the settings that have been set or inherited for the node.

A user must have UPDATE permissions on the node in order to apply changes to settings

Enforcement Tolerance:

Defines what level of risk will be allowed when remediating rules from the Scan Results page. By default, level 40 is inherited from the Unassigned or All Nodes folders.

This default can be overridden by toggling the Use custom value switch. If this switch is set on a folder all nodes within the folder without the custom switch toggled will inherit the value set on the parent folder.

Risk goes up the higher the value that is set. Only use risk 100 on experimental nodes as unexpected results may occur due to remediation.

A tolerance level of 0 will disable enforcement entirely for the node.

Default Scan Profiles:

Defines which profile Scan Now should use when triggering a new scan. This setting is required for the Scan Now feature to be enabled.

Folders can set default scan profiles for children of each platform type. These defaults will apply to all top-level children that are set to inherit a profile. Folders can also inherit profiles from their parent and pass it on to their children.

Endpoints can choose to have no profile set, inherit from their parent, or define their own custom default profile. An endpoint with a custom profile set will not inherit from it’s parent.

Scan Triggering

Scan triggering comes in two ways, Scan Now and Scheduled Scans. Both require a connected Sicura Agent.

Note: If running a scan on a folder type, it will scan only the direct children within that folder. Nested folders will need scans to be triggered independently.

Scan Now

For the Scan Now button to appear, a default scan profile is required to be set for an endpoint or for the system platform at the folder level. Only nodes with default scan profiles will trigger a new scan when Scan Now is clicked.

Once clicked the scan will be triggered with the configured scan profile.

Additionally, in the dropdown next to Scan Now, you are able to explicitly trigger a scan from a list of Benchmark authors and their profiles. When you click a specific profile, the scan will be immediately triggered. In folders this will trigger a scan for all nodes that match the selected platform.

Scheduled Scan

To schedule a scan, simply click the dropdown next to the Scan Now button and select Schedule Scan. This will open the Schedule Scan drawer.

Inside the Schedule Scan drawer you can select various options that will be passed along to the agent when it goes to perform the action.

Note: The times specified are the system time of the machine running the Sicura Console. Agents are agnostic to the time of the console and will only pick up the scan when the console’s time has reached the time configured in the scan.

Agent Connection Status

The Agent connection status is a visualization for if the node has an actively running/connected Agent that is ready to accept scans.

There are two states the Agent can be in:

Scheduled Scan Viewer

Clicking this viewer button will open the viewer pop-up screen allowing you to view previously, running, or future scheduled scans for a node.

This shows a scan that failed to complete successfully, a scan that completed successfully, a scan currently running, a scheduled catalog check posted in the future, and a scheduled scan posted in the future.

Note: Both catalog checks and compliance scans show up in the same list.