Using password authentication
This method requires a password during the enrollment process to ensure that agents enrolled with the ThreatLockDown manager are authenticated.
Below you can find the steps on how to configure password authentication into different endpoint agents:
Prerequisites
Before an agent can be enrolled to the ThreatLockDown manager using the password authentication method, the following must be done on the ThreatLockDown manager:
Enable the password authentication option by adding the configuration highlighted below to the
<auth>
section of the manager configuration file/var/ossec/etc/ossec.conf
.<auth> <use_password>yes</use_password> </auth>
Set a password to be used with agent enrollment. This can be achieved in two ways:
Recommended - Setting your own password. This is done by creating the file
/var/ossec/etc/authd.pass
on the manager with your password.Replace
<CUSTOM_PASSWORD>
with your chosen agent enrollment password and run the following command:# echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass
Change the
authd.pass
file permissions and ownership.# chmod 640 /var/ossec/etc/authd.pass # chown root:wazuh /var/ossec/etc/authd.pass
Restart the ThreatLockDown service for the changes to take effect.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Allowing the enrollment service to set a random password. A new random password is generated each time the ThreatLockDown manager service is restarted.
Restart the manager so the enrollment service generates a random password. This password is stored in
/var/ossec/logs/ossec.log
.# systemctl restart wazuh-manager
# service wazuh-manager restart
Run the following command to get the agent enrollment password:
# grep "Random password" /var/ossec/logs/ossec.log
2022/01/11 12:41:35 wazuh-authd: INFO: Accepting connections on port 1515. Random password chosen for agent authentication: 6258b4eb21550e4f182a08c10d94585e
Note
In the case where the deployment architecture is using a multi-node cluster, ensure that password authorization is enabled on each manager node. This prevents unauthorized agent enrollment through an unsecured manager node.
Once the above prerequisites are fulfilled, agent enrollment can be done using the steps corresponding to the OS running on endpoints with the agent installed.
Linux/Unix endpoint
The following steps serve as a guide on how to enroll a Linux/Unix endpoint with password authentication:
Launch the terminal as a root user.
Create the file
/var/ossec/etc/authd.pass
with the enrollment password in it.# echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass
You have to replace
<CUSTOM_PASSWORD>
with the agents enrollment password created on the manager.File permissions for the
authd.pass
file should be set to 640 and the owner should beroot
. The permissions and ownership can be configured by running the commands below:# chmod 640 /var/ossec/etc/authd.pass # chown root:wazuh /var/ossec/etc/authd.pass
The output below shows the recommended file owner and permissions.
-rw-r--r-- 1 root wazuh 18 Jan 11 13:03 /var/ossec/etc/authd.pass
Add the ThreatLockDown manager IP address or DNS name in the
<client><server><address>
section of the agent configuration file/var/ossec/etc/ossec.conf
.<client> <server> <address>MANAGER_IP</address> ... </server> </client>
This will allow the agent to send logs to the manager specified.
Restart the agent to make the changes effective.
# systemctl restart wazuh-agent
# service wazuh-agent restart
# /var/ossec/bin/wazuh-control restart
Select the Server management > Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.
Windows endpoint
The following steps serve as a guide on how to enroll a Windows endpoint with password authentication:
The ThreatLockDown agent installation directory depends on the architecture of the host.
C:\Program Files (x86)\ossec-agent
for 64-bit systems.C:\Program Files\ossec-agent
for 32-bit systems.
Launch PowerShell as an administrator.
Create a file called
authd.pass
and save the password to it.# echo “<CUSTOM_PASSWORD>” > "C:\Program Files (x86)\ossec-agent\authd.pass"
Note that you have to replace
<CUSTOM_PASSWORD>
with the agents enrollment password created on the manager.Add the ThreatLockDown manager IP address or DNS name in the
<client><server><address>
section ofC:\Program Files (x86)\ossec-agent\ossec.conf
:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
Restart the agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Select the Server management > Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.
macOS endpoint
The following steps serve as a guide on how to enroll a macOS endpoint with password authentication:
Launch the terminal as a root user.
Create a file called
/Library/Ossec/etc/authd.pass
and save the password to it.# echo "<CUSTOM_PASSWORD>" > /Library/Ossec/etc/authd.pass
You have to replace
<CUSTOM_PASSWORD>
with the agents enrollment password created on the manager.File permissions for the
authd.pass
file should be set to 640 and the owner should be root. The permissions and ownership can be configured by running the commands below:# chmod 640 /Library/Ossec/etc/authd.pass # chown root:wazuh /Library/Ossec/etc/authd.pass
The output below shows the recommended file owner and permissions:
-rw-r--r-- 1 root wazuh 18 Jan 11 13:03 /Library/Ossec/etc/authd.pass
Add the ThreatLockDown manager IP address or DNS name in the
<client><server><address>
section of/Library/Ossec/etc/ossec.conf
:<client> <server> <address>MANAGER_IP</address> ... </server> </client>
This will allow the agent to send logs to the specified manager.
Restart the agent to make the changes effective.
# /Library/Ossec/bin/wazuh-control restart
Select the Server management > Endpoints Summary module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.