Linux Agent installation
There are several ways to install the ThreatLocker Agent onto your Linux OS. ThreatLocker recommends using the Stub Installer for your installation.
Before deploying a ThreatLocker agent on a RHEL system, ensure the system is registered with Red Hat.
Stub installer
To install the ThreatLocker Agent using the Stub Installer, please refer to the following steps:
-
Select the ‘Install Computer’ button from anywhere in the portal. This is located in the top right corner of every page.
There is also an ‘Install Computer’ button located in the top left corner of the ‘Devices’ page.
-
Once selected, this will open a popout window titled ‘Download Installer’.
-
Keep ‘Manual Deployment’ selected as your deployment method, then select your Computer Group using the dropdown menu at the bottom of the page.
-
Now that your Computer Group is selected, choose the ‘Stub Installer’ button from the list of available installers.
-
Download the Linux Stub Installer to the machine you are deploying the agent on.
-
Open the Linux Terminal.
-
For correct error handling you need to install curl on your Linux system.
-
Enter the following command into the Terminal to give your Stub Installer permissions to run as a script:
sudo chmod +x ./(Stub Installer Name) - Enter the following command to run the Stub Installer:
sudo ./(updated stub installer name) -
Wait for the installation to be completed.
The following is a screenshot displaying each step as it appears in the terminal:
After seeing 'Server response: 0 Success', you should see your machine in the ThreatLocker Portal.
Installation Using 'wget'
ThreatLocker allows you to download the Stub Installer onto your machine using a wget command. To do so, please enter the following command:
wget https://api.threatlocker.com/updates/installers/threatlockerstublinux.sh
When using the wget command, the install key and instance will not be included with your installer and must be added manually. Once the file is downloaded, rename your file using the following format:
ThreatlockerStub_InstallKey_InstanceLetter
-
- Example: ThreatlockerStub_0123456789abcdefghijklmno_D
The Install Key can be found by navigating to 'Devices' > 'Groups' in the ThreatLocker Portal and selecting the Computer Group into which you would like to install this machine. The 'Install Key' will be located on the 'Edit Computer Group' side panel.
To find your Instance Letter, select the 'Help' button in the top right corner of any page in the ThreatLocker Portal. The Instance Letter will be located in parentheses to the right of where it says 'ThreatLocker Access'.
This file can be renamed using the 'mv' command:
mv threatlockerstublinux.sh ThreatlockerStub_InstallKey_InstanceLetter
After the file has been renamed, you must grant permissions to it for it to be executable. You can use the following command to achieve this:
sudo chmod +x ./ThreatlockerStub_InstallKey_InstanceLetter
Manual installation
For Manual Installation on a RHEL based machine, you can run the following command:
sudo yum install -y ./2.0.0-794_rhel_9.x86_64.rpm ./threatlocker_2.0.0-794_modules.rpm (changing version number depending on package installing)
Run the following command for Ubuntu based machines:
sudo apt install -y ./2.0.0-794_ubuntu_24_4.x86_64.deb ./threatlocker_2.0.0-794_modules.deb (changing version number depending on package installing)
Note: The 'Unsupported kernel version' messages appear based on the kernels that are installed on your machine, regardless of whether they are actively being used or not. If your kernel is not one of the unsupported kernels, those messages can be ignored.
Manually installing the packages does not connect them to the portal. To do this, you must perform the following after successfully installing the packages:
Run the following three commands:
sudo threatlockerctl --register-api-name <api name>
-
- Example: sudo threatlockerctl --register-api-name API
sudo threatlockerctl --custom-api <URL>
-
- Example: sudo threatlockerctl --custom-api https://api.h.threatlocker.com
sudo threatlockerctl --register-computer <installkey>
-
- Example: sudo threatlockerctl --register-computer 1231bjas012jasa919
After running the first two commands, you should see:
Server response: 0 Success
After the last command is run, you should see something similar to the following example:
Server response: 0 01232sda1-12312-asdas-s92-as19jsa91
Note: This response does not have to match exactly with yours, but there should always be a string of letters and numbers like what is shown above.
Secure Boot-enabled installations are currently unsupported. Please ensure Secure Boot is disabled before proceeding with installation.
Kernel Compatibility Guidance for ThreatLocker's Linux Agent
ThreatLocker's Linux agent is designed to operate only on specific, supported Linux kernel versions, with compatibility defined down to the exact kernel build number.
Installing the ThreatLocker Agent on a supported kernel and subsequently updating the kernel to an unsupported version can lead to critical system instability, potentially rendering the machine inoperable.
If a kernel update is absolutely necessary, the ThreatLocker Agent should be uninstalled before proceeding with the update to prevent system failure.
Uninstalling the ThreatLocker Linux Agent
To uninstall the ThreatLocker agent, you must first disable Tamper Protection. For questions regarding disabling Tamper Protection, please refer to the following article:
After Tamper Protection has been disabled, run the following command that corresponds with the distro you are using:
Sudo <dnf|yum|apt> remove -y threatlocker threatlocker-modules