The FireEye HX Agent runs on EC2 instances and allows the ITS Security Office  to detect security issues and compromises, as well as providing essential information for addressing security incidents.
The following are instructions for installing the Helix Agent on Linux. They have been tested on Amazon Linux 2, CentOS 6 & 7, as well as Ubuntu 18.
- Attach an Instance Profile  to the EC2 instance(s) you will be installing the HX agent on. The Instance Profile should have read access to the HX Agent bucket. See GitLab  for the specific policy.
- Download the IMAGE_HX_AGENT_LINUX_XX.XX.X.tgz file from the S3 bucket  and unzip. Inside you'll find rpms for CentOS/RHEL 6 & 7, as well as for Suse 11 & 12. Additionally you'll find .deb for Ubuntu 12 and 16.
- Upload the rpm or deb for your OS flavor, as well as the agent_config.json.
- SSH into your instance and run:
- For Amazon Linux, CentOS, or RHEL: sudo yum -y install xagt-XX.XX.X-X.el7.x86_64.rpm && sudo cp agent_config.json /opt/fireeye/
- For Ubuntu: sudo dpkg -i xagt_XX.XX.X-X.ubuntu16_amd64.deb
- Point the agent to the config: sudo /opt/fireeye/bin/xagt -i /opt/fireeye/agent_config.json
- Start the service and set it to start on reboot
- For Amazon Linux 2 , CentOS 7, or RHEL 7 (systemd based): sudo systemctl start xagt && sudo systemctl enable xagt
- For Amazon Linux, CentOS 6, or RHEL 6 (sysvinit based): sudo system xagt start && chkconfig xagt on
- For Ubuntu: sudo systemctl start xagt && sudo systemctl enable xagt
If you need guidance around permission needed for instance profiles please see our GitLab repo  for step-by-step directions and a self-service CloudFormation template.