ThreatLocker agent - Install on any Linux

Intent of this process:

We are going to install the ThreatLocker agent on a Linux system. While this was written based on an installation of RHEL 9, it should work with any .rpm or .deb-based installer (see FAQ below).

What you will need before starting this process:

1. You'll need shell access (SSH or terminal-in-Cockpit) access to the server in question.
2. You'll need the appropriate installer for the ThreatLocker agent for Linux.
   1. If you have not already done so, go to ThreatLocker agent - Download in another browser tab to download the installer.
   2. Please do not download the installer and archive it somewhere for later use; it's subject to change, and running an "obsolete" installer will not produce the intended results.
3. The computer in question may not have Secure Boot enabled.
   1. Due to the huge variation in the PC market, instructions for turning off Secure Boot in the BIOS setup are not explicitly laid out here.
   2. Is this a Linux system already in use? After disabling Secure Boot, please reboot a few times, follow these instructions to install the ThreatLocker agent, and reboot a few more times--this will help ensure that everything works as intended.
4. Are you upgrading an existing 1.x install of the ThreatLocker agent? Check the FAQ at the bottom of this KB.

Success for this process is measured by:

1. Upon successful installation, you'll see your Linux system appear in the ThreatLocker console 

The Process:

1. Using a USB flash drive or SFTP, copy the downloaded file (ThreatlockerStub_e0674d6caf25187ed646e60b_H) to /home/fsucomadmin:
   1. Editor's note: this may not be the actual file name character-for-character. Likewise, when you run this in one of the next steps, type the actual file name.
       
2. Make sure you're back at your home directory (or wherever you put the CrowdStrike installer).
   • Do this with cd (literally: no arguments).
      
3. Run the following commands, one per command line. Please note that red is typed by you, while black is the OS's response. For the first command, use the actual file name that you have downloaded and moved into the Linux system. (Hint: use Tab to auto-typeback the file name). Your username and hostname, of course, may vary. As you are running the commands with sudo, you may be prompted for your password if you had not run sudo recently. Editor's notes are in bold.
   
   [fsucomadmin@med-mon-float1 ~]$ chmod +x ThreatlockerStub_e0674d6caf25187ed646e60b_H
   [fsucomadmin@med-mon-float1 ~]$ sudo ./ThreatlockerStub_e0674d6caf25187ed646e60b_H
   ThreatlockerStub version: 2.2.0-1228
   Downloading installers 2.1.2 version...
   Download finished
   Installing modules /tmp/threatlocker/packages/threatlocker_2.1.2-1196_modules.rpm
   Installing agent /tmp/threatlocker/packages/2.1.2-1196_rhel_9.x86_64.rpm
   Installation finished
   Server response: 0 Success
   Server response: -5 Registration Error or Server response: 0 dd14c28c-4272-4ad9-bd22-fb704b322a93".
    
4. Stop. Check the line immediately prior to the final line returned once the script finished running.
    
   • If your last line was "Server response: -0", stop here and jump to the next main numbered step.
      
   • If your last line was "Server response: -5", run the following-
     
     [fsucomadmin@med-mon-float1 ~]$ sudo threatlockerctl --register-api-name api.h
     Server response: 0 Success
   • Then run-
     
     [fsucomadmin@med-mon-float1 ~]$ sudo threatlockerctl --register-computer e0674d6caf25187ed646e60b
     Server response: 0 5f385931-2d86-49fd-9054-6f20ab7453d1
      
5. Check the ThreatLocker console and make sure the installation came through.
   

Frequently Asked Questions:

What Linux distributions does Threatlocker support?

Based on the shell script to run the installer, it supports RHEL 7+, Ubuntu 16.04+, Oracle 7.9+, and CentOS 8+; other ".rpm" and ".deb" distributions may work too. Please do not install any network-exposed Linux distributions that are not original-vendor-supported. At the time of this writing, Red Hat supports RHEL 8+, and Canonical supports Ubunut 16.04+.

Do I have to do anything different depending on the distribution?

As of the time of this writing, ThreatLocker provides a single shell script that will handle any supported distribution with no change.

What if I get a "Stub Installer is not supported on systems with enabled SecureBoot" error?

You're likely installing on an RHEL 9.x machine that explicitly needs to be reconfigured to take SecureBoot out, which requires downtime. If this is a machine that's already in production in Azure, schedule maintenance. Then, navigate to the machine, and in the left options menus navigate to Settings>Configuration, then scroll down in the right panel until you see "Enable secure boot" and uncheck it. 

There's an existing 1.x install on the system; how do I install 2.x?

You will almost definitely be engaging ThreatLocker technical support; these instructions have failed 100% of the time when tried.

First, ask our Security and Privacy team to turn off Tamper Protection for the system in question. Before starting work, make absolutely sure tamper is protection is disabled by running, on the target host, sudo threatlockerctl --antitamper n. If you receive a response other than Server response: 0 Success, stop and do not proceed until this command shows disabled.

Run sudo dnf remove threatlocker threatlocker-modules; this will perform the uninstall. The sample command listed here lacks the -y flag to override confirmation, so you'll be asked Is this ok [y/N]:; select y.

I tried removing the ThreatLocker agent with tamper protection enabled, and now I can't install 2.x. Now what?

Run sudo find / | grep -i threatlocker to locate all remnant ThreatLocker files and remove them manually.