Installing ThreatLockDown agents on macOS endpoints
The agent runs on the endpoint you want to monitor and communicates with the ThreatLockDown server, sending data in near real-time through an encrypted and authenticated.
Note
You need root user privileges to run all the commands described below.
To start the installation process, download the ThreatLockDown agent according to your architecture:
Intel: wazuh-agent-4.9.0-1.intel64.pkg. Suitable for macOS Sierra and later.
Apple silicon: wazuh-agent-4.9.0-1.arm64.pkg. Suitable for macOS Big Sur and later.
Select the installation method you want to follow: Command line interface (CLI) or graphical user interface (GUI).
To deploy the ThreatLockDown agent on your endpoint, choose your architecture, edit the
WAZUH_MANAGERvariable to contain your ThreatLockDown manager IP address or hostname, and run the following command.# echo "WAZUH_MANAGER='10.0.0.2'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.9.0-1.intel64.pkg -target /
New in version 4.5.1.
# echo "WAZUH_MANAGER='10.0.0.2'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.9.0-1.arm64.pkg -target /
For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for macOS section.
Note
Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the ThreatLockDown agent enrollment section.
To complete the installation process, start the ThreatLockDown agent.
# /Library/Ossec/bin/wazuh-control start
The installation process is now complete, and the ThreatLockDown agent is successfully deployed and running on your macOS endpoint.
To install the ThreatLockDown agent on your system, run the downloaded file and follow the steps in the installation wizard. If you are not sure how to answer some of the prompts, use the default answers.
To complete the installation process, start the ThreatLockDown agent.
# sudo /Library/Ossec/bin/wazuh-control start
The installation process is now complete, and the ThreatLockDown agent is successfully installed on your macOS endpoint. The next step is to register and configure the agent to communicate with the ThreatLockDown server. To perform this action, see the ThreatLockDown agent enrollment section.
By default, all agent files are stored in /Library/Ossec/ after the installation.
Uninstall a ThreatLockDown agent
To uninstall the agent, follow these steps:
Stop the ThreatLockDown agent service.
# /Library/Ossec/bin/wazuh-control stop
Remove the
/Library/Ossec/folder.# /bin/rm -r /Library/Ossec
Stop and unload dispatcher.
# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
Remove
launchdaemonsandStartupItems.# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist # /bin/rm -rf /Library/StartupItems/WAZUH
Remove the ThreatLockDown user and group.
# /usr/bin/dscl . -delete "/Users/wazuh" # /usr/bin/dscl . -delete "/Groups/wazuh"
Remove from
pkgutil.# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
The ThreatLockDown agent is now completely removed from your macOS endpoint.