Skip to main content
All CollectionsCYFOX EDRGet Started
Get Started with CYFOX EDR for Linux
Get Started with CYFOX EDR for Linux
Omer Kushmirski avatar
Written by Omer Kushmirski
Updated over a week ago

Starting January 2025, CYFOX will officially launch its EDR version for Linux endpoints, completing comprehensive support for Windows, Linux, and macOS devices. This ensures full-spectrum protection and detection across all major operating systems.

This article provides a step-by-step walkthrough on how to start using CYFOX EDR for Linux while introducing the core principles for effectively operating the software, including:

  • Licensing

  • Installation and Uninstallation

  • Configuration and Troubleshooting

Licensing

To start with CYFOX for Linux, you will need to make sure that licenses are purchased as part of the standard onboarding process. Once agents are acquired, you can select the desired OS script by going to the downloads page and choosing the right script for installation.

For example, if you purchase 10 licenses, you can:

# Split them across Windows, Linux, and macOS

# Deploy all 10 on Linux devices

# Use any other combination that suits your needs


Setup Requirements

From this point of the article, we assume that all licenses are valid and operating as intended. Any licensing issues encountered are likely unrelated to the Linux installation process and may indicate a broader licensing concern. For assistance with licensing matters, please contact the CYFOX support team.

Before installing, please make sure the machine meets the LinuxOS system requirements.

Next, ensure you obtain the latest Linux EDR installation script, which is accessible through the CYFOX Management Interface:

  • For MSSPs/Resellers: Log in to cloud.cyfox.com using your account credentials. Then, navigate to the User Profile section (located at the top-right corner), select Downloads, and choose the relevant Linux installation script.

  • For XDR Admins (users managing a single XDR unit), the script is accessible directly under the Downloads option in the main menu.


Installation (Manual)

Follow the steps below to install and configure the agent based on your Linux distribution.

Installation on CentOS, Rocky Linux, Fedora, SUSE for SAP, or openSUSE:

  1. Download the package

    wget -c https://download.cyfox.com/agent/linux/cfx-1.02.3-2.x86_64.rpm

  2. Install the package

    Use one of the following commands based on your package manager:

    yum install ./cfx-1.02.3-2.x86_64.rpm

    OR

    dnf install ./cfx-1.02.3-2.x86_64.rpm

    OR

    rpm -ihv ./cfx-1.02.3-2.x86_64.rpm
  3. Edit the configuration file

    Open the configuration file using a text editor:

    nano /opt/cfx/etc/cfx.conf

    Ensure the following configuration:

    [api]
    address =
    port = 4242
    licensingUrl = https://uclmcfw9w4.execute-api.us-east-2.amazonaws.com/prod

    Note: The licensingUrl parameter is required only for Linux EDR cloud agents.

    [general]
    logpath = /var/log/cfx.log
    debug = False
  4. Restart the service

    systemctl restart cfx
  5. Activate the license

    Replace <activation_key> and <license_key> with your actual keys:

    /opt/cfx/bin/cfx -a <activation_key> -e <license_key>

Installation on Debian or Ubuntu:

  1. Download the package

    wget -c https://download.cyfox.com/agent/linux/cfx_1.02.3-2_amd64.deb

  2. Install the package

    Use one of the following commands based on your package manager:

    apt-get install ./cfx_1.02.3-2_amd64.deb

  3. Edit the configuration file

    Open the configuration file using a text editor:

    nano /opt/cfx/etc/cfx.conf

    Ensure the following configuration:

    [api]
    address =
    port = 4242
    licensingUrl = https://uclmcfw9w4.execute-api.us-east-2.amazonaws.com/prod

    Note: The licensingUrl parameter is required only for Linux EDR cloud agents.

    [general]
    logpath = /var/log/cfx.log
    debug = False

  4. Restart the service

    systemctl restart cfx

  5. Activate the license

    Replace <activation_key> and <license_key> with your actual keys:

    /opt/cfx/bin/cfx -a <activation_key> -e <license_key>


Installation (Repository)

For RHEL-based Systems (Rocky Linux, CentOS, Fedora, openSUSE, SUSE for SAP)

Create the CYFOX repository file

cat << EOF > /etc/yum.repos.d/cyfox.repo
[CyFox-Agent-\$basearch]
name=CyFox-Agent-$basearch
baseurl=https://rpm.cyfox.com/fedora/\$basearch
enabled=1
gpgcheck=0
EOF

Update the package manager

dnf update

Install the CYFOX agent:

dnf install cfx

For Debian-based Systems (Debian, Ubuntu)

Add the CYFOX repository key:

wget -q -O - https://deb.cyfox.com/debian/key.gpg | apt-key add -

Add the CYFOX repository:

echo "deb https://deb.cyfox.com/debian/ / " > /etc/apt/sources.list.d/cyfox.list

Update the package list:

apt update

Install the CYFOX agent:

apt-get install cfx

Configuration

Once the CYFOX agent is installed, update its configuration file.

Open the configuration file in a text editor:

nano /opt/cfx/etc/cfx.conf

Ensure the following settings are applied:

[api] address = cloud.cyfox.com 
port = 4242
licensingUrl = https://uclmcfw9w4.execute-api.us-east-2.amazonaws.com/prod

[general]
logpath = /var/log/cfx.log
debug = False

Save and exit (CTRL+X, then Y, then Enter).

Starting and Managing the CYFOX Agent

Restart the CYFOX service

systemctl restart cfx

Check service status

systemctl status cfx

Enable the service to start on boot

systemctl enable cfx

Activating the CYFOX Agent

To activate the CYFOX agent, use the following command with your provided activation key and license key:

/opt/cfx/bin/cfx -a <activation_key> -e <license_key>

Updating the CYFOX Agent

To ensure your CYFOX agent is up to date, use the following commands:

For RHEL-based Systems (Rocky Linux, CentOS, Fedora, SUSE)

dnf update cfx

For Debian-based Systems (Debian, Ubuntu)

apt-get upgrade cfx

Uninstalling the CYFOX Agent

If you need to remove the CYFOX agent, use the appropriate command for your Linux distribution:

For RHEL-based Systems (Rocky Linux, CentOS, Fedora, SUSE)

dnf remove cfx

For Debian-based Systems (Debian, Ubuntu)

apt-get remove cfx

To remove repository files manually:

rm -f /etc/yum.repos.d/cyfox.repo # RHEL-based systems 
rm -f /etc/apt/sources.list.d/cyfox.list # Debian-based systems

Troubleshooting

Verify if the package is available in the repository

dnf list cfx # For RHEL-based systems 
apt-cache search cfx # For Debian-based systems

Check the logs for errors

cat /var/log/cfx.log

Restart the service if it is not running

systemctl restart cfx


Whatโ€™s Next

Unlike macOS or Windows, CYFOX's Linux EDR does not immediately mitigate system activity upon installation. This is intentional, as continuously monitoring and mitigating file activity across all paths in Linux would be excessively resource-intensive.

Linux systems often handle a large number of processes and file operations simultaneously, many of which occur in critical system directories or temporary paths. Monitoring every file operation in real time would result in significant overhead, potentially impacting system performance and stability. Instead, this approach allows administrators to define specific paths for monitoring, ensuring efficient and targeted protection without compromising the system's performance.

This design requires the system administrator to define specific paths where the Linux EDR should operate.

Configuring Instructions

  1. Navigate to Policy โ†’ FIM.

  2. Next to the FIM Subscriptions title, click on Add.

  3. In the "Add Subscription" window:

    • Change the management type from Windows - Agent to Linux.

    • Define the specific path to monitor.

  4. Once saved, the Linux EDR will start operating based on the defined paths for the endpoint, using the following default actions:

    • Kill Process: Terminates the process on malicious hash detection.

    • Quarantine File: Quarantines the file on malicious hash detection.

    • Block Connection: Blocks the connection on malicious network activity and kills the related process.

You can extend the policy by changing the prevention mode from normal to aggressive, either for a specific Falco event or for all events.

Prevention Modes:

  1. Kill Process:

    • Normal Mode: Kills the process by its PID.

    • Aggressive Mode: Kills both the process (PID) and its parent process (PPID).

  2. Block Connection:

    • Kills the process related to the connection.

    • Blocks the connection with a persistent firewall rule.

  3. Quarantine File:

    • Kills the related process (if specified in the event).

    • Quarantines the file to prevent execution of the binary.

  4. Network Isolation:

    • Isolates the device from all incoming and outgoing network connections.

    • Exceptions are made for communication with the server for device management.

Configuring Event Response Policies

  1. Navigate to Policy โ†’ Event Response.

  2. Scroll down to the Agent Response section.

  3. Click on Add.

  4. Select the level where the rule should apply:

    • Global: Applies to all endpoints organization-wide.

    • Group: Applies to a predefined group of endpoints.

    • Host: Applies to specific individual endpoints.

  5. Optionally, specify the Falco rule to which the policy applies.

  6. Change the mode from normal to aggressive for enhanced mitigation.

Did this answer your question?