Installing and Uninstalling the ThreatLocker Linux Agent

The Linux Agent is currently in beta testing and we encourage you to install it only in non-production environments. Please report any issues to a Cyber Hero.

Included ThreatLocker Products:

Allowlisting

Prerequisites

SELinux

SELinux is required for ThreatLocker Linux Agent 1.2 and earlier on Ubuntu

SELinux is NOT installed by default on Ubuntu Systems

Launch Terminal and run the following command
1. sudo apt install policycoreutils selinux-utils selinux-basics

Once SELinux is installed, it must be activated with the following command
1. sudo selinux-activate

Once Activated, reboot the Ubuntu system
1. sudo reboot now

Verify successful SELinux Installation and Activation by using the following command: sestatus

If enabled, SELinux installation is complete

Locating the Installer Package

Current Linux Beta Stub Installers can be found on any page within the ThreatLocker beta portal, including:

The 'Install Computer' button on the Computers Page

The 'Download Installer' button on the Computer Groups Page

The 'Install Computer' button located on the top right of the portal

A choice of either a RPM or DEB file can be downloaded, depending on which version of Linux the agent will be installed on.

Renaming the ThreatLocker Linux Agent Installer Files

When downloading files from the ThreatLocker portal, they must be renamed using the following naming convention before installation, otherwise the installation will fail.

When downloading a Linux installer from the portal, the installers will look something like:
Ubuntu: ThreatLocker-xxxxxxxxxxxxxxxxxxxx.deb
RHEL: ThreatLocker-xxxxxxxxxxxxxxxxxxxx.rpm

The installer names will need to be changed to match the correct naming convention.

Naming Convention:

<ThreatLockerVersionNumber>_<DistroNameAndVersion>.<Arch>_[OptionalInstallGroupKey]_[OptionalInstallInstanceLetter].<extension>

Breakdown of Naming Convention

<ThreatLockerVersionNumber>
- The full version number of the ThreatLocker installer, formatted as Major.Minor.Build.
  - Example: 1.2.0-318

<DistroNameAndVersion>
- The name of the distribution and version number (major and minor) of the OS
  - Examples:
    - Ubuntu: ubuntu_22_4
    - RHEL: rhel_9_4
<Arch>
- The architecture of the system.
  - Example: x86_64

Optional: <OptionalInstallGroupKey>
- The install key, also referred to as the Group Key
  - This is NOT the Unique Identifier
  - This is NOT a GUID value
  - Example:
    - 3d4e41e3bcede1c7990d32cb

Optional: <OptionalInstallInstanceLetter>
- The ThreatLocker instance that the Organization is installed to
  - Example: b

<Extension>
- The file extension based on the package type.
  - Ubuntu: .deb
  - RHEL: .rpm

Ubuntu and RHEL Installer Examples:

The following are examples only and not intended to be copied directly.

Ubuntu
1. If attempting to install ThreatLocker Version 1.2 onto Ubuntu Server 22.04 on 64-bit x86 architecture, and your organization is on Instance E, the correct file name to use would be:
  
  1.2.0-318_ubuntu_22_4.x86_64_[your-unique-install-key]_e.deb
RHEL
1. If attempting to install ThreatLocker Version 1.2 onto RHEL 9 on 64-bit x86 architecture, and your organization is on Instance E, the correct name to use would be:
  
  1.2.0-318_rhel_9_4.x86_64_[your-unique-install-key]_e.rpm

Install Agent

Install package - Use the appropriate package manager to install the ThreatLocker package. For example, if running Ubuntu, you will use “apt”
1. <dnf|yum|apt> -y install ./<threatlockerversion>_<distro_version>.x86_64.<rpm|deb>

1. 1. example: if using ubuntu, sudo apt install ./1.0.5-230_ubuntu_22_4.x86_64.deb

Set the API Server with the following commands:
1. sudo threatlockerctl --register-api-name <api name>
  1. Note: "API Name" is NOT a URL, example: api

b. sudo threatlockerctl --custom-api <URL>

1. sudo threatlockerctl --register-computer <installkey>

Example:

Example uses the 1.0.5-230.deb installer on a 22.04 Ubuntu Server and installs to api.c.threatlocker.com

Install Package

1. sudo apt -y install ./1.0.5-230_ubuntu_22_4.x86_64.deb

Set the API Server with the following commands:

1. sudo threatlockerctl --register-api-name api
2. sudo threatlockerctl --custom-api https://api.c.threatlocker.com

1. sudo threatlockerctl --register-computer <installkey>

Example uses the 1.2.0-318.rpm installer on a 9.4 RHEL Server and installs to api.e.threatlocker.com

Install Package

1. sudo dnf -y install ./1.2.0-318_rhel_9_4.x86_64.rpm

Set the API Server with the following commands:

1. sudo threatlockerctl --register-api-name api
2. sudo threatlockerctl --custom-api https://api.e.threatlocker.com

1. sudo threatlockerctl --register-computer <installkey>

Locating the Custom API :

To locate the custom API URL, navigate to 'Help', located in the upper right corner of the portal. Replace the characters between api. and .threatlocker in the url above with the characters in parenthesis found in the Help dropdown beside the ThreatLocker Access title.
For example, using the information in the picture below, the custom-api would become https://api.e.threatlocker.com

Locating the Install Key:

Navigate to the Computers Page > Computer Groups.
Select the group the computer being installed is a member of.
In the sidebar, the Install Key is located under the General tab, labeled ‘Install Key’.

A screenshot of a computer

Description automatically generated

Uninstalling the ThreatLocker Linux Agent

After disabling Tamper Protection from the ThreatLocker portal, run the command that corresponds with the distro being utilized:

Sudo <dnf|yum|apt> remove -y threatlocker