Installing the ThreatLockDown agent from sources

The ThreatLockDown agent is a single and lightweight monitoring software. It is a multi-platform component that provides visibility into the endpoint’s security by collecting critical system and application records. The following section explains how to install it from sources.

Note

You need root user privileges to run all the commands described below. Since ThreatLockDown 3.5, it is necessary to have an Internet connection when following this process.

Note

CMake 3.12.4 is the minimal library version required to build the ThreatLockDown agent solution.

Install development tools and compilers. In Linux, this can easily be done using your distribution’s package manager:

# yum update -y
# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-*

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# yum install make gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel cmake
# yum-config-manager --enable powertools
# yum install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

# apt-get install python gcc g++ make libc6-dev curl policycoreutils automake autoconf libtool libssl-dev

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# zypper install -y make gcc gcc-c++ policycoreutils-python automake autoconf libtool libopenssl-devel curl

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

Note

For Suse 11, it is possible that some of the tools are not found in the package manager, in that case you can add the following official repository:

# zypper addrepo http://download.opensuse.org/distribution/11.4/repo/oss/ oss

GCC/G++ 9.4 is the recommended version to build wazuh.

# pacman --noconfirm -Syu curl gcc make sudo wget expect gnupg perl-base perl fakeroot python brotli automake autoconf libtool gawk libsigsegv nodejs base-devel inetutils cmake

Alpine Package Keeper is the default package manager that Alpine Linux uses to manage its packages.

# apk --update add automake autoconf cmake curl gcc gettext-dev g++ linux-headers libgcc libtool make procps python3 openssl-dev

Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx

Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# cd wazuh-4.9.0
# ./install.sh
```
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# cd wazuh-4.9.0
# make -C src clean
# make -C src clean-deps
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent in order to install a ThreatLockDown agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent
```

Next steps

Now that the agent is installed, the next step is to enroll the agent with the ThreatLockDown server. For more information about this process, please check the ThreatLockDown agent enrollment section.

Uninstall

To uninstall the ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove ThreatLockDown user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

Note

The following procedure has been tested on Ubuntu 22.04 and may work with other Debian/Ubuntu versions as well. It is required to use MinGW 10.

Set up the Ubuntu build environment. Install these dependencies to build the Windows ThreatLockDown agent installer on Ubuntu:
```
# apt-get install curl gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis make cmake
```
Set up Windows build environment. To generate the installer, the following dependencies must be in place on the Windows machine:
- WiX Toolset.
- .NET framework 3.5.1.
- Microsoft Windows SDK.

Download the ThreatLockDown source code on the Ubuntu machine and unzip it:

# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx
# cd wazuh-4.9.0/src

Compile the Agent by running the make command:
```
# make deps TARGET=winagent
# make TARGET=winagent
```
The following output will appear at the end of the building process:
```
Done building winagent
```
Moves the entire repository to the Windows machine. It is recommended to compress it to speed up the process.
```
# cd ../.. && zip -r wazuh.zip wazuh-4.9.0
```
Decompress the repository on the Windows machine, run the wazuh-installer-build-msi.bat script from the win32 folder.
```
> cd wazuh-4.9.0\src\win32
> .\wazuh-installer-build-msi.bat
```
If you do not want to sign the installer, you will have to comment or delete the signtool line in the previous script.
```
:: signtool sign /a /tr http://timestamp.digicert.com /d "%MSI_NAME%" /fd SHA256 /td SHA256 "%MSI_NAME%"
```

Specify the version and the revision number when prompted. This will also generate the Windows installer file. In the following output, the version is set as 4.9.0 and the revision is set as 1. This generates the Windows installer wazuh-agent-4.9.0-1.msi

C:\wazuh\wazuh-4.9.0\src\win32>REM IF VERSION or REVISION are empty, ask for their value

C:\wazuh\wazuh-4.9.0\src\win32>IF [] == [] set /p VERSION=Enter the version of the ThreatLockDown agent (x.y.z):
Enter the version of the ThreatLockDown agent (x.y.z):4.9.0

C:\wazuh\wazuh-4.9.0\src\win32>IF [] == [] set /p REVISION=Enter the revision of the ThreatLockDown agent:
Enter the revision of the ThreatLockDown agent:1

C:\wazuh\wazuh-4.9.0\src\win32>SET MSI_NAME=wazuh-agent-4.9.0-1.msi

Proceed to install wazuh-agent-4.9.0-1.msi by following the installation guide.

Next steps

Uninstall

To uninstall the agent, the original MSI file will be needed to perform the unattended process:

msiexec.exe /x wazuh-agent-4.9.0-1.msi /qn

Install brew, a package manager for macOS:

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Warning

In some macOS versions, this first command may fail reporting that homebrew/core is shallow clone. If this happens, run the following commands to solve it.
$ rm -rf "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-core"
$ brew tap homebrew/core
After that, run again the first one to properly install brew:
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Install development tools and compilers through brew.

$ brew install automake autoconf libtool cmake

Download and extract the latest version:
```
# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx
```
Note

All the commands described below need to be executed with root user privileges.
Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# cd wazuh-4.9.0
# USER_DIR="/Library/Ossec" ./install.sh
```
Note

Note that with the variable USER_DIR, it has been indicated that the agent installation path is /Library/Ossec

If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# cd wazuh-4.9.0
# make -C src clean
# make -C src clean-deps
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/Library/Ossec]). The default path of installation is /Library/Ossec. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent in order to install a ThreatLockDown agent:
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent

Next steps

Uninstall

To uninstall ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# rm -rf /Library/StartupItems/WAZUH

Remove ThreatLockDown user and group:

# dscl . -delete "/Users/wazuh" > /dev/null 2>&1
# dscl . -delete "/Groups/wazuh" > /dev/null 2>&1

AIX 6.1 TL9 or greater is the supported version for the following installation procedure.

Note

All the commands described below need to be executed with root user privileges. Since ThreatLockDown 3.5, it is necessary to have an Internet connection when following this process.

Install development tools and compilers.

Download the wget tool.

# rpm -Uvh --nodeps http://packages-dev.wazuh.com/deps/aix/wget-1.19-1.aix6.1.ppc.rpm

Download the following script.
```
# wget https://raw.githubusercontent.com/wazuh/wazuh-packages/4.9/aix/generate_wazuh_packages.sh --no-check-certificate
```
Note

If you can’t download the script this way, then you should download it using another machine and copy it to the AIX machine via the scp utility.

Download bash and libiconv.

# rpm -Uvh --nodeps http://packages-dev.wazuh.com/deps/aix/bash-4.4-4.aix6.1.ppc.rpm
# rpm -Uvh --nodeps http://packages-dev.wazuh.com/deps/aix/libiconv-1.14-22.aix6.1.ppc.rpm

Install the necessary dependencies using the script.

# chmod +x generate_wazuh_packages.sh
# ./generate_wazuh_packages.sh -e

Note

This step may take a few minutes.

Download the latest version.

# wget -O wazuh.tar.gz --no-check-certificate https://api.github.com/repos/wazuh/wazuh/tarball/v4.9.0
# gunzip -c wazuh.tar.gz | tar -xvf -

Note

If you can't download the repository this way, then you should copy it via the scp utility.

Compile the sources.

# cd wazuh-4.9.0
# cd src
# gmake clean-deps
# gmake clean
# gmake deps TARGET=agent RESOURCES_URL=http://packages.wazuh.com/deps/27
# gmake TARGET=agent USE_SELINUX=no PREFIX=/var/ossec

Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# cd ..
# ./install.sh
```
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# gmake -C src clean-deps
# gmake -C src clean
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.
Finally, apply the following configuration:
```
# sed '/System inventory/,/^$/{/^$/!d;}' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf
```
Note

Note that the above commands have been executed for the default installation path /var/ossec. If you have installed the agent in another path, you will have to modify the path of those commands.

Next steps

Uninstall

To uninstall ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# find /etc/rc.d -name "*wazuh*" | xargs rm -f

Remove ThreatLockDown user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

Note

All the commands described below need to be executed with root user privileges. Since ThreatLockDown 3.5, it is necessary to have an Internet connection when following this process.

Install development tools and compilers.
1. Download the depothelper-2.10-hppa_32-11.31.depot file.
```
# /usr/local/bin/wget https://github.com/wazuh/wazuh-packages/raw/master/hp-ux/depothelper-2.10-hppa_32-11.31.depot --no-check-certificate
```
  Note
  
  If you can’t download the script this way, then you should download it using another machine and copy it to the HP-UX machine via the scp utility.
2. Install the package manager. The absolute path to the depot file is used.
```
# swinstall -s /ABSOLUTE/PATH/depothelper-2.10-hppa_32-11.31.depot \*
```
3. Download the wget tool (If it is not installed).
```
# /usr/local/bin/depothelper -f wget
```
4. Download the following script
```
# /usr/local/bin/wget https://raw.githubusercontent.com/wazuh/wazuh-packages/master/hp-ux/generate_wazuh_packages.sh --no-check-certificate
```
  Note
  
  If you can't download the script this way, then you should copy it via the scp utility.
5. Install the necessary dependencies using the script.
```
# chmod +x generate_wazuh_packages.sh
# ./generate_wazuh_packages.sh -e
```
Note

This step may take a long time.
Download the latest version.
```
# /usr/local/bin/curl -k -L -O https://github.com/wazuh/wazuh/archive/v4.9.0.zip && /usr/local/bin/unzip v4.9.0
```
Note

If you can't download the repository this way, then you should copy it via the scp utility.

Compile the sources.

# cd wazuh-4.9.0
# /usr/local/bin/gmake -C src deps RESOURCES_URL=http://packages.wazuh.com/deps/27 TARGET=agent
# /usr/local/bin/gmake -C src TARGET=agent USE_SELINUX=no

Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# ./install.sh
```
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# /usr/local/bin/gmake -C src clean-deps
# /usr/local/bin/gmake -C src clean
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.

Next steps

Uninstall

To uninstall ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# find /sbin/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove ThreatLockDown user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

This section describes how to download and build the ThreatLockDown agent from sources for the following Solaris versions:

For Solaris i386
For Solaris SPARC

Note

All the commands described below need to be executed with root user privileges. Since ThreatLockDown 3.5, it is necessary to have an Internet connection when following this process.

Install development tools and compilers.

Run the bash shell and install pkgutil.

# bash
# PATH="${PATH}:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/"
# export PATH
# pkgadd -d http://get.opencsw.org/now

Install the following tools:

# /opt/csw/bin/pkgutil -y -i git cmake automake autoconf gmake libtool wget curl gcc5core gcc5g++ gtar

Download and build the gcc/g++ 5.5 compiler:

# curl -L http://packages.wazuh.com/utils/gcc/gcc-5.5.0.tar.gz | gtar xz && cd gcc-5.5.0
# curl -L http://packages.wazuh.com/utils/gcc/mpfr-2.4.2.tar.bz2 | gtar xj && mv mpfr-2.4.2 mpfr
# curl -L http://packages.wazuh.com/utils/gcc/gmp-4.3.2.tar.bz2 | gtar xj && mv gmp-4.3.2 gmp
# curl -L http://packages.wazuh.com/utils/gcc/mpc-0.8.1.tar.gz | gtar xz && mv mpc-0.8.1 mpc
# curl -L http://packages.wazuh.com/utils/gcc/isl-0.14.tar.bz2 | gtar xj && mv isl-0.14 isl
# unset CPLUS_INCLUDE_PATH && unset LD_LIBRARY_PATH
# export PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin
# mkdir -p /usr/local
# ./configure --prefix=/usr/local/gcc-5.5.0 --enable-languages=c,c++ --disable-multilib --disable-libsanitizer --disable-bootstrap --with-ld=/usr/ccs/bin/ld --without-gnu-ld --with-gnu-as --with-as=/opt/csw/bin/gas
# gmake && gmake install
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib
# echo "export PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin" >> /etc/profile
# echo "export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0" >> /etc/profile
# echo "export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib" >> /etc/profile
# rm -rf gcc-*
# ln -sf /usr/local/gcc-5.5.0/bin/g++ /usr/bin/g++
# cd ..

Note

The gmake step will take several minutes to complete. This is normal behavior.

Install cmake library:

# curl -sL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz | gtar xz
# cd cmake-3.18.3
# ./bootstrap
# gmake && gmake install
# cd .. && rm -rf cmake-3.18.3
# ln -sf /usr/local/bin/cmake /usr/bin/cmake

Download and install perl 5.10.1.

# wget http://www.cpan.org/src/5.0/perl-5.10.1.tar.gz
# gunzip ./perl-5.10.1.tar.gz && tar xvf perl-5.10.1.tar
# cd perl-5.10.1
# ./Configure -Dcc=gcc -d -e -s
# gmake clean && gmake -d -s
# gmake install -d -s
# cd ..

Remove the old version of perl and replace it with perl 5.10.1.

# rm /usr/bin/perl
# mv /opt/csw/bin/perl5.10.1 /usr/bin/
# mv /usr/bin/perl5.10.1 /usr/bin/perl
# rm -rf perl-5.10.1*

Download the latest version of Wazuh.

# /opt/csw/bin/git clone -b v4.9.0 https://github.com/wazuh/wazuh.git

Compile the sources.

For Solaris 10 i386:

# export PATH=/usr/local/gcc-5.5.0/bin:/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin:/opt/csw/gnu
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib
# cd wazuh/src
# gmake clean
# gmake deps TARGET=agent
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no
# cd ..

For Solaris 10 SPARC:

# export PATH=/usr/local/gcc-5.5.0/bin:/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin:/opt/csw/gnu
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib
# cd wazuh/src
# gmake clean
# gmake deps TARGET=agent RESOURCES_URL=http://packages.wazuh.com/deps/27
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no
USE_BIG_ENDIAN=yes
# cd ..

Patch solaris 10 sh files to change the shebang.

# for file in $(find . -name "*.sh");do
sed 's:#!/bin/sh:#!/usr/xpg4/bin/sh:g' $file > $file.new
mv $file.new $file && chmod +x $file
done

Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# bash install.sh
```
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# gmake -C src clean
# gmake -C src clean-deps
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent in order to install a ThreatLockDown agent:
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent

Next steps

Uninstall

To uninstall ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove ThreatLockDown user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

Note

All the commands described below need to be executed with root user privileges. Since ThreatLockDown 3.5, it is necessary to have an Internet connection when following this process.

Install development tools and build the needed compilers.

Install pkgutil and update it.

# pkgadd -d http://get.opencsw.org/now
# export PATH="${PATH}:/usr/sfw/bin:/opt/csw/bin:/opt/ccs/bin"
# pkgutil -y -U

Install python 2.7.

# /opt/csw/bin/pkgutil -y -i python27
# ln -sf /opt/csw/bin/python2.7 /usr/bin/python

Install the following tools:

# /opt/csw/bin/pkgutil -y -i git gmake cmake gcc5core gcc5g++

Install a gcc version to include all files needed in the next step:
```
# pkg install gcc-45
```

Download and build the gcc/g++ 5.5 compiler:

# curl -O https://packages.wazuh.com/utils/gcc/gcc-5.5.0.tar.gz && gtar xzf gcc-5.5.0.tar.gz
# ln -sf gcc-5.5.0 gcc
# cd gcc && ./contrib/download_prerequisites
# cd .. && mkdir -p gcc-build && cd gcc-build
# ../gcc/configure --prefix=/usr/local/gcc-5.5.0 --enable-languages=c,c++ --disable-multilib --disable-libsanitizer --disable-bootstrap --with-ld=/usr/ccs/bin/ld --without-gnu-ld --with-gnu-as --with-as=/opt/csw/bin/gas
# gmake
# gmake install
# export PATH=/usr/local/gcc-5.5.0/bin/:/usr/local/bin/:/usr/bin/:/usr/sbin/:$PATH
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0/
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib/
# cd ..

Note

The gmake step will take several minutes to complete. This is normal behavior.

Install cmake library:

# curl -O -L https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && gtar xzf cmake-3.18.3.tar.gz && ln -sf cmake-3.18.3 cmake
# cd cmake && ./bootstrap
# gmake
# gmake install
# cd .. && rm -rf cmake-*

Download the latest version.
```
# git clone -b v4.9.0 https://github.com/wazuh/wazuh.git
```
Note

If you can’t download the file due to an Open SSL error, then you should copy the directory with the scp utility.
Run the install.sh script. This will run a wizard that will guide you through the installation process using the ThreatLockDown sources:
```
# cd wazuh*
# ./install.sh
```
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# gmake -C src clean
# gmake -C src clean-deps
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing ThreatLockDown inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent in order to install a ThreatLockDown agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent
```

Next steps

Uninstall

To uninstall the ThreatLockDown agent, set WAZUH_HOME with the current installation path:

# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:

# rm -rf $WAZUH_HOME

Delete the service:

# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove ThreatLockDown user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null