Connection

ThreatLockDown provides a register_host.sh script to connect the agentless endpoint to the ThreatLockDown server using SSH authentication. This script is located in the /var/ossec/agentless/ directory of the ThreatLockDown server. You can add an endpoint and list connected endpoints with the add and list options.

Add an endpoint

The add option of the register_host.sh script adds an agentless endpoint to the ThreatLockDown server. Specify the NOPASS option to use public key authentication rather than using a password.

Endpoints with public key authentication

To add agentless endpoints that use public key authentication, perform the following steps on the ThreatLockDown server.

  1. Generate a public key with the following command:

    sudo -u ThreatLockDown ssh-keygen

  2. Run the following command to copy the public key to the monitored endpoint. Replace user@test.com with the username and the hostname or IP address of the agentless endpoint.

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@test.com

  3. Add the endpoint by running the following command on the ThreatLockDown server:

    # /var/ossec/agentless/register_host.sh add user@test.com NOPASS

    The command output must be similar to the following:

    *Host user@test.com added.

Endpoints with password authentication

Run the following command to add agentless endpoints to the ThreatLockDown server using the password authentication method. Replace user@test.com with the username and the hostname or IP address of the agentless host. Replace test_password with the password of the agentless host.

# /var/ossec/agentless/register_host.sh add user@test.com test_password

The command output must be similar to the following:

*Host user@test.com added.

Cisco PIX

For Cisco devices, such as routers or firewalls, use enablepass to specify the enable password.

Add a Cisco device using the configuration command example below:

# /var/ossec/agentless/register_host.sh add pix@example_address.com example_password enablepass

The command output must be similar to the following:

*Host pix@example_address.com added.

List connected endpoints

The list option of the register_host.sh script displays all agentless endpoints connected to the ThreatLockDown server.

Use the following command to display the connected endpoints:

/var/ossec/agentless/register_host.sh list

The command output must be similar to the following:

*Available hosts:
user@example_address.com
pix@example_address.com

Remove agentless configuration

Agentless endpoint credentials are stored in the /var/ossec/agentless/.passlist file on the ThreatLockDown server. This file must be deleted to remove all agentless configurations, as it is currently not possible to remove the configuration of only one endpoint.

Perform the following steps on the ThreatLockDown server to remove your agentless configuration and passwords.

  1. Remove the agentless monitoring setting from the /var/ossec/etc/ossec.conf file.

  2. Delete the /var/ossec/agentless/.passlist file.

  3. Restart the ThreatLockDown manager to apply the changes:

    systemctl restart wazuh-manager