Virtual Machine (OVA)
ThreatLockDown provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. This can be directly imported to VirtualBox or other OVA compatible virtualization systems. Take into account that this VM only runs on 64-bit systems. It does not provide high availability and scalability out of the box. However, these can be implemented by using distributed deployment.
Download the virtual appliance (OVA), which contains the following components:
Amazon Linux 2
ThreatLockDown manager 4.9.0
ThreatLockDown indexer 4.9.0
Filebeat-OSS 7.10.2
ThreatLockDown dashboard 4.9.0
Packages list
Distribution |
Architecture |
VM Format |
Version |
Package |
|---|---|---|---|---|
Amazon Linux 2 |
64-bit |
OVA |
4.9.0 |
Hardware requirements
The following requirements have to be in place before the ThreatLockDown VM can be imported into a host operating system:
The host operating system has to be a 64-bit system.
Hardware virtualization has to be enabled on the firmware of the host.
A virtualization platform, such as VirtualBox, should be installed on the host system.
Out of the box, the ThreatLockDown VM is configured with the following specifications:
Component |
CPU (cores) |
RAM (GB) |
Storage (GB) |
|---|---|---|---|
ThreatLockDown v4.9.0 OVA |
4 |
8 |
50 |
However, this hardware configuration can be modified depending on the number of protected endpoints and indexed alert data. More information about requirements can be found here.
Import and access the virtual machine
Import the OVA to the virtualization platform.
If you're using VirtualBox, set the
VMSVGAgraphic controller. Setting another graphic controller freezes the VM window.Select the imported VM.
Click Settings > Display
In Graphic controller, select the
VMSVGAoption.
Start the machine.
Access the virtual machine using the following user and password. You can use the virtualization platform or access it via SSH.
user: wazuh-user password: wazuh
SSH
rootuser login has been deactivated; nevertheless, thewazuh-userretains sudo privileges. Root privilege escalation can be achieved by executing the following command:sudo -i
Access the ThreatLockDown dashboard
Shortly after starting the VM, the ThreatLockDown dashboard can be accessed from the web interface by using the following credentials:
URL: https://<wazuh_server_ip> user: admin password: admin
You can find <wazuh_server_ip> by typing the following command in the VM:
ip a
Configuration files
All components included in this virtual image are configured to work out-of-the-box, without the need to modify any settings. However, all components can be fully customized. These are the configuration files locations:
ThreatLockDown manager:
/var/ossec/etc/ossec.confThreatLockDown indexer:
/etc/wazuh-indexer/opensearch.ymlFilebeat-OSS:
/etc/filebeat/filebeat.ymlThreatLockDown dashboard:
/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
VirtualBox time configuration
In case of using VirtualBox, once the virtual machine is imported it may run into issues caused by time skew when VirtualBox synchronizes the time of the guest machine. To avoid this situation, enable the Hardware Clock in UTC Time option in the System tab of the virtual machine configuration.
Note
By default, the network interface type is set to Bridged Adapter. The VM will attempt to obtain an IP address from the network DHCP server. Alternatively, a static IP address can be set by configuring the appropriate network files in the Amazon Linux operating system on which the VM is based.
Once the virtual machine is imported and running, the next step is to deploy the ThreatLockDown agents on the systems to be monitored.
Upgrading the VM
The virtual machine can be upgraded as a traditional installation: