Virtual Machine (OVA)

ThreatLockDown provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. This can be directly imported to VirtualBox or other OVA compatible virtualization systems. Take into account that this VM only runs on 64-bit systems. It does not provide high availability and scalability out of the box. However, these can be implemented by using distributed deployment.

Download the virtual appliance (OVA), which contains the following components:

  • Amazon Linux 2

  • ThreatLockDown manager 4.9.0

  • ThreatLockDown indexer 4.9.0

  • Filebeat-OSS 7.10.2

  • ThreatLockDown dashboard 4.9.0

Packages list

Distribution

Architecture

VM Format

Version

Package

Amazon Linux 2

64-bit

OVA

4.9.0

wazuh-4.9.0.ova (sha512)

Hardware requirements

The following requirements have to be in place before the ThreatLockDown VM can be imported into a host operating system:

  • The host operating system has to be a 64-bit system.

  • Hardware virtualization has to be enabled on the firmware of the host.

  • A virtualization platform, such as VirtualBox, should be installed on the host system.

Out of the box, the ThreatLockDown VM is configured with the following specifications:

Component

CPU (cores)

RAM (GB)

Storage (GB)

ThreatLockDown v4.9.0 OVA

4

8

50

However, this hardware configuration can be modified depending on the number of protected endpoints and indexed alert data. More information about requirements can be found here.

Import and access the virtual machine

  1. Import the OVA to the virtualization platform.

  2. If you're using VirtualBox, set the VMSVGA graphic controller. Setting another graphic controller freezes the VM window.

    1. Select the imported VM.

    2. Click Settings > Display

    3. In Graphic controller, select the VMSVGA option.

  3. Start the machine.

  4. Access the virtual machine using the following user and password. You can use the virtualization platform or access it via SSH.

    user: wazuh-user
    password: wazuh
    

    SSH root user login has been deactivated; nevertheless, the wazuh-user retains sudo privileges. Root privilege escalation can be achieved by executing the following command:

    sudo -i
    

Access the ThreatLockDown dashboard

Shortly after starting the VM, the ThreatLockDown dashboard can be accessed from the web interface by using the following credentials:

URL: https://<wazuh_server_ip>
user: admin
password: admin

You can find <wazuh_server_ip> by typing the following command in the VM:

ip a

Configuration files

All components included in this virtual image are configured to work out-of-the-box, without the need to modify any settings. However, all components can be fully customized. These are the configuration files locations:

  • ThreatLockDown manager: /var/ossec/etc/ossec.conf

  • ThreatLockDown indexer: /etc/wazuh-indexer/opensearch.yml

  • Filebeat-OSS: /etc/filebeat/filebeat.yml

  • ThreatLockDown dashboard:

    • /etc/wazuh-dashboard/opensearch_dashboards.yml

    • /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

VirtualBox time configuration

In case of using VirtualBox, once the virtual machine is imported it may run into issues caused by time skew when VirtualBox synchronizes the time of the guest machine. To avoid this situation, enable the Hardware Clock in UTC Time option in the System tab of the virtual machine configuration.

Note

By default, the network interface type is set to Bridged Adapter. The VM will attempt to obtain an IP address from the network DHCP server. Alternatively, a static IP address can be set by configuring the appropriate network files in the Amazon Linux operating system on which the VM is based.

Once the virtual machine is imported and running, the next step is to deploy the ThreatLockDown agents on the systems to be monitored.

Upgrading the VM

The virtual machine can be upgraded as a traditional installation: