ThreatLockDown Agent

This role is designed to install and configure the ThreatLockDown Agent on different hosts. There are agent installer packages for Linux, macOS, and Windows machines. This role can also enroll the agent in the ThreatLockDown Manager. Below are some variables you can use to customize the installation:

  • wazuh_managers: This specifies a list of ThreatLockDown manager node(s) for ThreatLockDown agents to report to.

  • wazuh_agent_authd: This specifies a set of options to register the ThreatLockDown agent on the ThreatLockDown server. This requires the wazuh-authd service to be running on the ThreatLockDown server.

To use the role in a playbook, a YAML file wazuh-agent.yml can be created with the contents below:

- hosts: all:!wazuh-manager
  roles:
   - ansible-wazuh-agent

You can maintain different environments using a variable definition YAML file for each one:

  • For a production environment, the variables can be saved in vars-production.yml:

wazuh_managers:
  - address: 10.1.1.12
    port: 1514
    protocol: udp
wazuh_agent_authd:
  registration_address: 10.1.1.12
  enable: true
  port: 1515
  ssl_agent_ca: null
  ssl_auto_negotiate: 'no'
  • For a development environment, the variables can be saved in vars-development.yml:

wazuh_managers:
  - address: 192.168.0.10
    port: 1514
    protocol: udp
wazuh_agent_authd:
  registration_address: 192.168.0.10
  enable: true
  port: 1515
  ssl_agent_ca: null
  ssl_auto_negotiate: 'no'

To run the playbook for a specific environment, the command below is run:

$ ansible-playbook wazuh-agent.yml -e@vars-production.yml

The example above for a production environment will install a ThreatLockDown agent in all host groups except the wazuh-manager group. Then, it will register them against the wazuh-manager with IP address 10.1.1.12.

Please review the variables references section to see all variables available for this role.