ThreatLockDown agent

Restore your ThreatLockDown agent installation by following these steps.

Note

You need root user privileges to execute the commands below.

Linux

You need to have a new installation of the ThreatLockDown agent on a Linux endpoint. Follow the Deploying ThreatLockDown agents on Linux endpoints guide to perform a fresh ThreatLockDown agent installation.

Preparing the data restoration

  1. Compress the files generated after performing the ThreatLockDown files backup and transfer them to the respective monitored endpoints.

    # tar -cvzf wazuh_agent.tar.gz ~/wazuh_files_backup/
    
  2. Move the compressed file to the root / directory of your node:

    # mv wazuh_agent.tar.gz /
    # cd /
    
  3. Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files.

    # tar -xzvf wazuh_agent.tar.gz
    # cd ~/wazuh_files_backup/<DATE_TIME>
    

Restoring ThreatLockDown agent files

Perform the steps below to restore the ThreatLockDown agent files on a Linux endpoint.

  1. Stop the ThreatLockDown agent to prevent any modification to the ThreatLockDown agent files during the restore process:

    # systemctl stop wazuh-agent
    
  2. Restore ThreatLockDown agent data, certificates, and configuration files, and change the file permissions and ownerships accordingly:

    # sudo cp var/ossec/etc/client.keys /var/ossec/etc/
    # chown wazuh:wazuh /var/ossec/etc/client.keys
    # sudo cp var/ossec/etc/ossec.conf /var/ossec/etc/
    # chown root:wazuh /var/ossec/etc/ossec.conf
    # sudo cp var/ossec/etc/internal_options.conf /var/ossec/etc/
    # chown root:wazuh /var/ossec/etc/internal_options.conf
    # sudo cp var/ossec/etc/local_internal_options.conf /var/ossec/etc/
    # chown root:wazuh /var/ossec/etc/local_internal_options.conf
    # sudo cp -r var/ossec/etc/*.pem /var/ossec/etc/
    # chown -R root:wazuh /var/ossec/etc/*.pem
    # sudo cp -r var/ossec/logs/* /var/ossec/logs/
    # chown -R wazuh:wazuh /var/ossec/logs/
    # sudo cp -r var/ossec/queue/rids/* /var/ossec/queue/rids/
    # chown -R wazuh:wazuh /var/ossec/queue/rids/
    
  3. Restore your custom files such as local SCA policies, active response scripts, and wodle commands if there are any and change the file permissions. Adapt the following command accordingly.

    # sudo cp var/ossec/etc/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> /var/ossec/etc/<SCA_DIRECTORY>/
    # chown wazuh:wazuh /var/ossec/etc/custom-sca-files/<CUSTOM_SCA_FILE>
    # sudo cp var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> /var/ossec/active-response/bin/
    # chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT>
    # sudo cp var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> /var/ossec/wodles/
    # chown root:wazuh /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT>
    
  4. Start the ThreatLockDown agent service:

    # systemctl start wazuh-agent
    

Windows

You need to have a new installation of the ThreatLockDown agent on a Windows endpoint. Follow the Installing ThreatLockDown agents on Windows endpoints guide to perform a fresh ThreatLockDown agent installation.

Preparing the data restoration

  1. Compress the files generated after performing the ThreatLockDown files backup and transfer them to the Downloads directory of the respective agent endpoints.

  2. Decompress the file using 7-Zip or any of your preferred tools.

Restoring ThreatLockDown agent files

Perform the steps below to restore the ThreatLockDown agent files on a Windows endpoint.

  1. Stop the ThreatLockDown agent to prevent any modification to the ThreatLockDown agent files during the restore process by running the following command on the Command Prompt as an administrator:

    NET STOP WazuhSvc
    
  2. Launch PowerShell or the CMD utility as an administrator and navigate to the wazuh_files_backup/<DATE_TIME> folder that contains the backup files.

  3. Run the following commands to copy the ThreatLockDown agent data, certificates, and configurations:

    > xcopy client.keys "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy ossec.conf "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy internal_options.conf "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy local_internal_options.conf "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy *.pem "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy ossec.log "C:\Program Files (x86)\ossec-agent\" /H /I /K /S /X /Y
    > xcopy logs\* "C:\Program Files (x86)\ossec-agent\"  /H /I /K /S /X /Y
    > xcopy rids\* "C:\Program Files (x86)\ossec-agent\"  /H /I /K /S /X /Y
    

    You can also copy these files using the drag and drop method.

  4. Restore your custom files, such as local SCA policies, active response scripts, and wodle commands, if there are any. Adapt the following command accordingly.

    > xcopy <SCA_DIRECTORY>\<CUSTOM_SCA_FILE> “C:\Program Files (x86)\ossec-agent\<SCA_DIRECTORY>” /H /I /K /S /X /Y
    > xcopy active-response\bin\<CUSTOM_ACTIVE_RESPONSE_SCRIPT> "C:\Program Files (x86)\ossec-agent\active-response\bin\" /H /I /K /S /X /Y
    > xcopy wodles\<CUSTOM_WODLE_SCRIPT> "C:\Program Files (x86)\ossec-agent\wodles\" /H /I /K /S /X /Y
    
  5. Start the ThreatLockDown agent service by running the following command on the Command Prompt as an administrator:

    NET START WazuhSvc
    

macOS

You need to have a new installation of the ThreatLockDown agent on a macOS endpoint. Follow the Installing ThreatLockDown agents on macOS endpoints guide to perform a fresh ThreatLockDown agent installation.

Preparing the data restoration

  1. Compress the files generated after performing the ThreatLockDown files backup and transfer them to the endpoint with the ThreatLockDown agent installed.

    # tar -cvzf wazuh_agent.tar.gz ~/wazuh_files_backup/
    
  2. Move the compressed file to the Downloads directory of your node:

    # mv wazuh_agent.tar.gz ~/Downloads
    # cd ~/Downloads
    
  3. Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files.

    # tar -xzvf wazuh_agent.tar.gz
    # cd wazuh_files_backup/<DATE_TIME>
    

Restoring ThreatLockDown agent files

Perform the steps below to restore ThreatLockDown agent files on a macOS endpoint.

  1. Stop the ThreatLockDown agent to prevent any modification to the ThreatLockDown agent files during the restore process:

    # /Library/Ossec/bin/wazuh-control stop
    
  2. Restore ThreatLockDown agent data, certificates, and configuration files:

    # cp Library/Ossec/etc/client.keys /Library/Ossec/etc/
    # cp Library/Ossec/etc/ossec.conf /Library/Ossec/etc/
    # cp Library/Ossec/etc/internal_options.conf /Library/Ossec/etc/
    # cp Library/Ossec/etc/local_internal_options.conf /Library/Ossec/etc/
    # cp -R Library/Ossec/etc/*.pem /Library/Ossec/etc/
    # cp -R Library/Ossec/logs/* /Library/Ossec/logs/
    # cp -R Library/Ossec/queue/rids/* /Library/Ossec/queue/rids/
    
  3. Restore custom files, such as local SCA policies, active response, and wodle scripts, if there are any.

    # sudo cp Library/Ossec/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> /Library/Ossec/<SCA_DIRECTORY>/
    # sudo cp Library/Ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> /Library/Ossec/active-response/bin/
    # sudo cp Library/Ossec/wodles/<CUSTOM_WODLE_SCRIPT> /Library/Ossec/wodles/
    
  4. Start the ThreatLockDown agent service:

    # /Library/Ossec/bin/wazuh-control start
    

Verifying data restoration

  1. Run the command below on your ThreatLockDown server to check if the ThreatLockDown agent is connected and active:

    # /var/ossec/bin/agent_control -l
    
  1. Using the ThreatLockDown dashboard, navigate to Active agents. Select your ThreatLockDown agent to see the data from the backup, such as Threat Hunting, Vulnerability Detection, Configuration Assessment, and others.