Skip to main content
All CollectionsCYFOX EDRGet Started
Get Started with CYFOX EDR for Linux
Get Started with CYFOX EDR for Linux
Omer Kushmirski avatar
Written by Omer Kushmirski
Updated over a week ago

Starting January 2025, CYFOX will officially launch its EDR version for Linux endpoints, completing comprehensive support for Windows, Linux, and macOS devices. This ensures full-spectrum protection and detection across all major operating systems.

This article provides a step-by-step walkthrough on how to start using CYFOX EDR for Linux while introducing the core principles for effectively operating the software, including:

  • Licensing

  • Installation and Uninstallation

  • Configuration and Troubleshooting

Licensing

To start with CYFOX for Linux, you will need to make sure that licenses are purchased as part of the standard onboarding process. Once agents are acquired, you can select the desired OS script by going to the downloads page and choosing the right script for installation.

For example, if you purchase 10 licenses, you can:

# Split them across Windows, Linux, and macOS

# Deploy all 10 on Linux devices

# Use any other combination that suits your needs

Setup Requirements

From this point of the article, we assume that all licenses are valid and operating as intended. Any licensing issues encountered are likely unrelated to the Linux installation process and may indicate a broader licensing concern. For assistance with licensing matters, please contact the CYFOX support team.

Before installing, please make sure the machine meets the LinuxOS system requirements.

Next, ensure you obtain the latest Linux EDR installation script, which is accessible through the CYFOX Management Interface:

  • For MSSPs/Resellers: Log in to cloud.cyfox.com using your account credentials. Then, navigate to the User Profile section (located at the top-right corner), select Downloads, and choose the relevant Linux installation script.

  • For XDR Admins (users managing a single XDR unit), the script is accessible directly under the Downloads option in the main menu.

Installation

Follow the steps below to install and configure the agent based on your Linux distribution.

Installation on CentOS, Rocky Linux, Fedora, SUSE for SAP, or openSUSE:

  1. Download the package

    wget -c https://download.cyfox.com/agent/linux/cfx-1.02.3-2.x86_64.rpm

  2. Install the package

    Use one of the following commands based on your package manager:

    yum install ./cfx-1.02.3-2.x86_64.rpm

    OR

    dnf install ./cfx-1.02.3-2.x86_64.rpm

    OR

    rpm -ihv ./cfx-1.02.3-2.x86_64.rpm

  3. Edit the configuration file

    Open the configuration file using a text editor:

    nano /opt/cfx/etc/cfx.conf

    Ensure the following configuration:

    [api]
    address = 
    port = 4242
    licensingUrl = https://uclmcfw9w4.execute-api.us-east-2.amazonaws.com/prod

    Note: The licensingUrl parameter is required only for Linux EDR cloud agents.

    [general]
    logpath = /var/log/cfx.log
    debug = False

  4. Restart the service

    systemctl restart cfx

  5. Activate the license

    Replace <activation_key> and <license_key> with your actual keys:

    /opt/cfx/bin/cfx -a <activation_key> -e <license_key>

Installation on Debian or Ubuntu:

  1. Download the package

    wget -c https://download.cyfox.com/agent/linux/cfx_1.02.3-2_amd64.deb

  2. Install the package

    Use one of the following commands based on your package manager:

    apt-get install ./cfx_1.02.3-2_amd64.deb

  3. Edit the configuration file

    Open the configuration file using a text editor:

    nano /opt/cfx/etc/cfx.conf

    Ensure the following configuration:

    [api]
    address = 
    port = 4242
    licensingUrl = https://uclmcfw9w4.execute-api.us-east-2.amazonaws.com/prod

    Note: The licensingUrl parameter is required only for Linux EDR cloud agents.

    [general]
    logpath = /var/log/cfx.log
    debug = False

  4. Restart the service

    systemctl restart cfx

  5. Activate the license

    Replace <activation_key> and <license_key> with your actual keys:

    /opt/cfx/bin/cfx -a <activation_key> -e <license_key>

Whatโ€™s Next

Unlike macOS or Windows, CYFOX's Linux EDR does not immediately mitigate system activity upon installation. This is intentional, as continuously monitoring and mitigating file activity across all paths in Linux would be excessively resource-intensive.

Linux systems often handle a large number of processes and file operations simultaneously, many of which occur in critical system directories or temporary paths. Monitoring every file operation in real time would result in significant overhead, potentially impacting system performance and stability. Instead, this approach allows administrators to define specific paths for monitoring, ensuring efficient and targeted protection without compromising the system's performance.

This design requires the system administrator to define specific paths where the Linux EDR should operate.

Configuring Instructions

  1. Navigate to Policy โ†’ FIM.

  2. Next to the FIM Subscriptions title, click on Add.

  3. In the "Add Subscription" window:

    • Change the management type from Windows - Agent to Linux.

    • Define the specific path to monitor.

  4. Once saved, the Linux EDR will start operating based on the defined paths for the endpoint, using the following default actions:

    • Kill Process: Terminates the process on malicious hash detection.

    • Quarantine File: Quarantines the file on malicious hash detection.

    • Block Connection: Blocks the connection on malicious network activity and kills the related process.

You can extend the policy by changing the prevention mode from normal to aggressive, either for a specific Falco event or for all events.

Prevention Modes:

  1. Kill Process:

    • Normal Mode: Kills the process by its PID.

    • Aggressive Mode: Kills both the process (PID) and its parent process (PPID).

  2. Block Connection:

    • Kills the process related to the connection.

    • Blocks the connection with a persistent firewall rule.

  3. Quarantine File:

    • Kills the related process (if specified in the event).

    • Quarantines the file to prevent execution of the binary.

  4. Network Isolation:

    • Isolates the device from all incoming and outgoing network connections.

    • Exceptions are made for communication with the server for device management.

Configuring Event Response Policies

  1. Navigate to Policy โ†’ Event Response.

  2. Scroll down to the Agent Response section.

  3. Click on Add.

  4. Select the level where the rule should apply:

    • Global: Applies to all endpoints organization-wide.

    • Group: Applies to a predefined group of endpoints.

    • Host: Applies to specific individual endpoints.

  5. Optionally, specify the Falco rule to which the policy applies.

  6. Change the mode from normal to aggressive for enhanced mitigation.

Related Articles
Installing CYFOX Agent - User guide
CYFOX EDR For Windows
Supported Linux Operating Systems for CYFOX Agent Installation
CYFOX EDR System Requirements
Get Started with CYFOX EDR for macOS
Did this answer your question?