Installing the ThreatLockDown dashboard step by step

Install and configure the ThreatLockDown dashboard following step-by-step instructions. The ThreatLockDown dashboard is a web interface for mining and visualizing the ThreatLockDown server alerts and archived events.

Note

You need root user privileges to run all the commands described below.

ThreatLockDown dashboard installation

Installing package dependencies

Install the following packages if missing.

# yum install libcap

# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

Adding the ThreatLockDown repository

Note

If you are installing the ThreatLockDown dashboard on the same host as the ThreatLockDown indexer or the ThreatLockDown server, you may skip these steps as you may have added the ThreatLockDown repository already.
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-https
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information.
# apt-get update

Installing the ThreatLockDown dashboard

Install the ThreatLockDown dashboard package.

# yum -y install wazuh-dashboard

# apt-get -y install wazuh-dashboard

Configuring the ThreatLockDown dashboard

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and replace the following values:
server.host: This setting specifies the host of the ThreatLockDown dashboard server. To allow remote users to connect, set the value to the IP address or DNS name of the ThreatLockDown dashboard server. The value 0.0.0.0 will accept all the available IP addresses of the host.
opensearch.hosts: The URLs of the ThreatLockDown indexer instances to use for all your queries. The ThreatLockDown dashboard can be configured to connect to multiple ThreatLockDown indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example, ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]
   server.host: 0.0.0.0
   server.port: 443
   opensearch.hosts: https://localhost:9200
   opensearch.ssl.verificationMode: certificate

Deploying certificates

Note

Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.
Replace <dashboard-node-name> with your ThreatLockDown dashboard node name, the same one used in config.yml to create the certificates, and move the certificates to their corresponding location.
# NODE_NAME=<dashboard-node-name>
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the ThreatLockDown dashboard service

Enable and start the ThreatLockDown dashboard service.
# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard
Choose one option according to your operating system:

RPM-based operating system:
# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start
Debian-based operating system:
# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start
Only for distributed deployments
Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the ThreatLockDown server master node.
hosts:
  - default:
      url: https://localhost
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false
Access the ThreatLockDown web interface with your credentials.

URL: https://<wazuh-dashboard-ip>

Username: admin

Password: admin
When you access the ThreatLockDown dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Securing your ThreatLockDown installation

You have now installed and configured all the ThreatLockDown central components. We recommend changing the default credentials to protect your infrastructure from possible attacks.

Select your deployment type and follow the instructions to change the default passwords for both the ThreatLockDown API and the ThreatLockDown indexer users.

Use the ThreatLockDown passwords tool to change all the internal users' passwords.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh

INFO: The password for user admin is yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO
INFO: The password for user kibanaserver is nUa+66zY.eDF*2rRl5GKdgLxvgYQA+wo
INFO: The password for user kibanaro is 0jHq.4i*VAgclnqFiXvZ5gtQq1D5LCcL
INFO: The password for user logstash is hWW6U45rPoCT?oR.r.Baw2qaWz2iH8Ml
INFO: The password for user readall is PNt5K+FpKDMO2TlxJ6Opb2D0mYl*I7FQ
INFO: The password for user snapshotrestore is +GGz2noZZr2qVUK7xbtqjUup049tvLq.
WARNING: ThreatLockDown indexer passwords changed. Remember to update the password in the ThreatLockDown dashboard and Filebeat nodes if necessary, and restart the services.
INFO: The password for ThreatLockDown API user ThreatLockDown is JYWz5Zdb3Yq+uOzOPyUU4oat0n60VmWI
INFO: The password for ThreatLockDown API user wazuh-wui is +fLddaCiZePxh24*?jC0nyNmgMGCKE+2
INFO: Updated wazuh-wui user password in ThreatLockDown dashboard. Remember to restart the service.

On any ThreatLockDown indexer node, use the ThreatLockDown passwords tool to change the passwords of the ThreatLockDown indexer users.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all

INFO: ThreatLockDown API admin credentials not provided, ThreatLockDown API passwords not changed.
INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j
INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp
INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna
INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h
INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4
INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB
WARNING: ThreatLockDown indexer passwords changed. Remember to update the password in the ThreatLockDown dashboard and Filebeat nodes if necessary, and restart the services.

On your ThreatLockDown server master node, download the ThreatLockDown passwords tool and use it to change the passwords of the ThreatLockDown API users.

# curl -sO https://packages.wazuh.com/4.9/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh

INFO: The password for ThreatLockDown API user ThreatLockDown is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je.
INFO: The password for ThreatLockDown API user wazuh-wui is fL+f?sFRPEv5pYRE559rqy9b6G4Z5pVi

On all your ThreatLockDown server nodes, run the following command to update the admin password in the Filebeat keystore. Replace <admin-password> with the random password generated in the first step.
```
# echo <admin-password> | filebeat keystore add password --stdin --force
```
Restart Filebeat to apply the change.
# systemctl restart filebeat
# service filebeat restart
Note

Repeat steps 3 and 4 on every ThreatLockDown server node.
On your ThreatLockDown dashboard node, run the following command to update the kibanaserver password in the ThreatLockDown dashboard keystore. Replace <kibanaserver-password> with the random password generated in the first step.
```
# echo <kibanaserver-password> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
```

Update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file with the new wazuh-wui password generated in the second step.

hosts:
  - default:
      url: https://localhost
      port: 55000
      username: wazuh-wui
      password: "<wazuh-wui-password>"
      run_as: false

Restart the ThreatLockDown dashboard to apply the changes.

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Next steps

All the ThreatLockDown central components are successfully installed and secured.

Install the ThreatLockDown indexer

Install the ThreatLockDown server

Install the ThreatLockDown dashboard

The ThreatLockDown environment is now ready, and you can proceed with installing the ThreatLockDown agent on the endpoints to be monitored. To perform this action, see the ThreatLockDown agent section.

If you want to uninstall the ThreatLockDown dashboard, see Uninstall the ThreatLockDown dashboard.