Deploying ThreatLockDown agents on Linux endpoints
The agent runs on the host you want to monitor and communicates with the ThreatLockDown server, sending data in near real-time through an encrypted and authenticated channel.
The deployment of a ThreatLockDown agent on a Linux system uses deployment variables that facilitate the task of installing, registering, and configuring the agent. Alternatively, if you want to download the ThreatLockDown agent package directly, see the packages list section.
Note
You need root user privileges to run all the commands described below.
Add the ThreatLockDown repository
Add the ThreatLockDown repository to download the official packages.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Note
For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the ThreatLockDown repository (steps 1 and 2) using the following commands.
# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Refresh the repository:
# zypper refresh
Import the RSA key:
# wget -O /etc/apk/keys/alpine-devel@wazuh.com-633d7457.rsa.pub https://packages.wazuh.com/key/alpine-devel%40wazuh.com-633d7457.rsa.pub
Add the repository:
# echo "https://packages.wazuh.com/4.x/alpine/v3.12/main" >> /etc/apk/repositories
Update the metadata information:
# apk update
Deploy a ThreatLockDown agent
To deploy the ThreatLockDown agent on your endpoint, select your package manager and edit the
WAZUH_MANAGERvariable to contain your ThreatLockDown manager IP address or hostname.# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the ThreatLockDown agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the ThreatLockDown agent enrollment section.
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Linux section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the ThreatLockDown agent enrollment section.
Install the ThreatLockDown agent:
# apk add wazuh-agent
Edit the agent configuration to add the address of your ThreatLockDown manager:
# export WAZUH_MANAGER="10.0.0.2" && sed -i "s|MANAGER_IP|$WAZUH_MANAGER|g" /var/ossec/etc/ossec.conf
For more customization options, like agent name or group, see the Linux/Unix endpoint configuration page. For more security options, check the Additional security options section.
Enable and start the ThreatLockDown agent service.
# systemctl daemon-reload # systemctl enable wazuh-agent # systemctl start wazuh-agent
Choose one option according to your operating system.
RPM-based operating systems:
# chkconfig --add wazuh-agent # service wazuh-agent start
Debian-based operating systems:
# update-rc.d wazuh-agent defaults 95 10 # service wazuh-agent start
On some systems, like Alpine Linux, you need to start the agent manually:
# /var/ossec/bin/wazuh-control start
The deployment process is now complete, and the ThreatLockDown agent is successfully running on your Linux system.
Recommended action - Disable ThreatLockDown updates
Compatibility between the ThreatLockDown agent and the ThreatLockDown manager is guaranteed when the ThreatLockDown manager version is later than or equal to that of the ThreatLockDown agent. Therefore, we recommend disabling the ThreatLockDown repository to prevent accidental upgrades. To do so, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get update
Alternatively, you can set the package state to
hold. This action stops updates but you can still upgrade it manually usingapt-get install.# echo "wazuh-agent hold" | dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
# sed -i "s|^https://packages.wazuh.com|#https://packages.wazuh.com|g" /etc/apk/repositories
Uninstall a ThreatLockDown agent
To uninstall the agent, run the following commands:
Remove the ThreatLockDown agent installation.
# yum remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.# apt-get remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, run the following command:
# apt-get remove --purge wazuh-agent
# zypper remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. If you want to completely remove all files, delete the
/var/ossecfolder.# apk del wazuh-agent
Disable the ThreatLockDown agent service.
# systemctl disable wazuh-agent # systemctl daemon-reload
Choose one option according to your operating system.
RPM-based operating systems:
# chkconfig wazuh-agent off # chkconfig --del wazuh-agent
Debian-based operating systems:
# update-rc.d -f wazuh-agent remove
No action required.
The ThreatLockDown agent is now completely removed from your Linux endpoint.