Install ThreatLockDown components using the assistant

Install and configure the different ThreatLockDown components with the aid of the ThreatLockDown installation assistant.

Note

You need root user privileges to run all the commands described below.

Please, make sure that a copy of the wazuh-install-files.tar and wazuh-offline.tar.gz files, created during the initial configuration step, is placed in your working directory.

Installing the ThreatLockDown indexer

Install and configure the ThreatLockDown indexer nodes.

  1. Run the assistant with the --offline-install to perform an offline installation. Use the option --wazuh-indexer and the node name to install and configure the ThreatLockDown indexer. The node name must be the same one used in config.yml for the initial configuration, for example, node-1.

    # bash wazuh-install.sh --offline-install --wazuh-indexer node-1
    

    Repeat this step for every ThreatLockDown indexer node in your cluster. Then proceed with initializing your single-node or multi-node cluster in the next step.

  2. Run the ThreatLockDown installation assistant with option --start-cluster on any ThreatLockDown indexer node to load the new certificates information and start the cluster.

    # bash wazuh-install.sh --start-cluster
    

    Note

    You only have to initialize the cluster once, there is no need to run this command on every node.

Testing the cluster installation

  1. Run the following command to get the admin password:

    # tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
    
  2. Run the following command to confirm that the installation is successful. Replace <ADMIN_PASSWORD> with the password gotten from the output of the previous command. Replace <WAZUH_INDEXER_IP> with the configured ThreatLockDown indexer IP address:

    # curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200
    
    {
      "name" : "node-1",
      "cluster_name" : "wazuh-cluster",
      "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
      "version" : {
        "number" : "7.10.2",
        "build_type" : "rpm",
        "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
        "build_date" : "2023-06-03T06:24:25.112415503Z",
        "build_snapshot" : false,
        "lucene_version" : "9.6.0",
        "minimum_wire_compatibility_version" : "7.10.0",
        "minimum_index_compatibility_version" : "7.0.0"
      },
      "tagline" : "The OpenSearch Project: https://opensearch.org/"
    }
    
  3. Replace <WAZUH_INDEXER_IP> and <ADMIN_PASSWORD>, and run the following command to check if the cluster is working correctly:

    # curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
    

Installing the ThreatLockDown server

  1. Run the assistant with the --offline-install to perform an offline installation. Use the option --wazuh-server followed by the node name to install the ThreatLockDown server. The node name must be the same one used in config.yml for the initial configuration, for example, wazuh-1.

    # bash wazuh-install.sh --offline-install --wazuh-server wazuh-1
    

Your ThreatLockDown server is now successfully installed.

  • If you want a ThreatLockDown server multi-node cluster, repeat this step on every ThreatLockDown server node.

  • If you want a ThreatLockDown server single-node cluster, everything is set and you can proceed directly with the next stage.

Installing the ThreatLockDown dashboard

  1. Run the assistant with the --offline-install to perform an offline installation. Use the option --wazuh-dashboard and the node name to install and configure the ThreatLockDown dashboard. The node name must be the same one used in config.yml for the initial configuration, for example, dashboard.

    # bash wazuh-install.sh --wazuh-dashboard dashboard
    

    The default ThreatLockDown web user interface port is 443, used by the ThreatLockDown dashboard. You can change this port using the optional parameter -p|--port <port_number>. Some recommended ports are 8443, 8444, 8080, 8888, and 9000.

    Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful.

    INFO: --- Summary ---
    INFO: You can access the web interface https://<wazuh-dashboard-ip>
       User: admin
       Password: <ADMIN_PASSWORD>
    
    INFO: Installation finished.
    

    You now have installed and configured Wazuh. All passwords generated by the ThreatLockDown installation assistant can be found in the wazuh-passwords.txt file inside the wazuh-install-files.tar archive. To print them, run the following command:

    # tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
    
  2. Access the ThreatLockDown web interface with your credentials.

    • URL: https://<wazuh-dashboard-ip>

    • Username: admin

    • Password: <ADMIN_PASSWORD>

    When you access the ThreatLockDown dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser instead. Alternatively, a certificate from a trusted authority can be configured.