Intent of this process:
We are going to install the ThreatLocker agent on a Linux system. While this was written based on an installation of RHEL 9, it should work with any .rpm or .deb-based installer (see FAQ below).
IOPS: Please fix these instructions if the ThreatLocker installation instructions change; also, please note above if installed successfully under a different distribution.
What you will need before starting this process:
- You'll need shell access (SSH or terminal-in-cockpit) access to the server in question.
- You'll need the appropriate installer for the ThreatLocker agent for Linux.
- If you have not already done so, go to ThreatLocker agent - Download in another browser tab to download the installer.
- Please do not download the installer and archive it somewhere for later use; it's subject to change.
- The computer in question may not have Secure Boot enabled.
- Due to the huge variation in the PC market, instructions for turning off Secure Boot in the BIOS setup are not explicitly laid out here.
- Is this a Linux system already in use? After disabling Secure Boot, please reboot a few times, follow these instructions to install the ThreatLocker agent, and reboot a few more times--this will help ensure that everything works as intended.
Success for this process is measured by:
- Upon successful installation, you'll see your Linux system appear in the ThreatLocker console
The Process:
- Using a USB flash drive or SFTP, copy the downloaded file (
ThreatlockerStub_e0674d6caf25187ed646e60b_H) to /home/fsucomadmin:
- Editor's note: this may not be the actual file name character-for-character. Likewise, when you run this in one of the next steps, type the actual file name.
- Make sure you're back at your home directory (or wherever you put the CrowdStrike installer).
- Do this with
cd (literally: no arguments).
- Run the following commands, one per command line. Please note that red is typed by you, while black is the OS's response. For the first command, use the actual file name that you have downloaded and moved into the Linux system. (Hint: use Tab to auto-typeback the file name). Your username and hostname, of course, may vary. As you are running the commands with
sudo, you may be prompted for your password if you had not run sudo recently. Editor's notes are in bold.
[fsucomadmin@med-mon-float1 ~]$ chmod +x ThreatlockerStub_e0674d6caf25187ed646e60b_H
[fsucomadmin@med-mon-float1 ~]$ sudo ./ThreatlockerStub_e0674d6caf25187ed646e60b_H
ThreatlockerStub version: 2.2.0-1228
Downloading installers 2.1.2 version...
Download finished
Installing modules /tmp/threatlocker/packages/threatlocker_2.1.2-1196_modules.rpm
Installing agent /tmp/threatlocker/packages/2.1.2-1196_rhel_9.x86_64.rpm
Installation finished
Server response: 0 Success
Server response: -5 Registration Error This error is known and may be safely ignored; just keep going.
[fsucomadmin@med-mon-float1 ~]$ sudo threatlockerctl --register-api-name api.h
Server response: 0 Success
[fsucomadmin@med-mon-float1 ~]$ sudo threatlockerctl --register-computer e0674d6caf25187ed646e60b
Server response: 0 5f385931-2d86-49fd-9054-6f20ab7453d1
- Check the ThreatLocker console and make sure the installation came through.
Frequently Asked Questions:
What Linux distributions does Threatlocker support?
Based on the shell script to run the installer, it supports RHEL 7+, Ubuntu 16.04+, Oracle 7.9+, and CentOS 8+; other ".rpm" and ".deb" distributions may work too. Please do not install any network-exposed Linux distributions that are not original-vendor-supported. At the time of this writing, Red Hat supports RHEL 8+, and Canonical supports Ubunut 16.04+.
Do I have to do anything different depending on the distribution?
As of the time of this writing, ThreatLocker provides a single shell script that will handle any supported distribution with no change.