The FireEye HX Agent runs on EC2 instances and allows the Information Security and Policy Office to detect security issues and compromises, as well as providing essential information for addressing security incidents.

It is the Cloud Team's strong recommendation that systems that persist should have this agent installed. Systems where it might not be appropriate to install this agent include container hosts, EC2 instances that are part of an autoscaling group, or any other instances that could be considered ephemeral in nature. If you have questions about this, please schedule Office Hours to discuss this further.

The following are instructions for installing the Helix Agent on Linux. They have been tested on Amazon Linux 2, CentOS 6 & 7, as well as Ubuntu 18.

1. Attach an Instance Profile to the EC2 instance(s) you will be installing the HX agent on. The Instance Profile should have read access to the HX Agent bucket. See GitLab for the specific policy.
2. Download the IMAGE_HX_AGENT_LINUX_XX.XX.X.tgz file from the S3 bucket and unzip. Inside you'll find rpms for CentOS/RHEL 6 & 7, as well as for Suse 11 & 12. Additionally you'll find .deb for Ubuntu 12 and 16.
3. Upload the rpm or deb for your OS flavor, as well as the agent_config.json.
4. SSH into your instance and run:
   • For Amazon Linux, CentOS, or RHEL: sudo yum -y install xagt-XX.XX.X-X.el7.x86_64.rpm && sudo cp agent_config.json /opt/fireeye/
   • For Ubuntu: sudo dpkg -i xagt_XX.XX.X-X.ubuntu16_amd64.deb
5. Point the agent to the config: sudo /opt/fireeye/bin/xagt -i /opt/fireeye/agent_config.json
6. Start the service and set it to start on reboot
   • For Amazon Linux 2 , CentOS 7, or RHEL 7 (systemd based): sudo systemctl start xagt && sudo systemctl enable xagt
   • For Amazon Linux, CentOS 6, or RHEL 6 (sysvinit based): sudo system xagt start && chkconfig xagt on
   • For Ubuntu: sudo systemctl start xagt && sudo systemctl enable xagt

If you need guidance around permission needed for instance profiles please see our GitLab repo for step-by-step directions and a self-service CloudFormation template.