FirEye Install Package Help

diwanker · October 31, 2019, 2:20am

Hi Guys,

I am trying to create an rpm install package for FireEye Agent but it is failing when being deployed using BigFix. I am able to install the agent when running the commands manually but when using the below action script, the installation reports back as completed with Exit Code 1 but the package is not installed.

wait mkdir -p /Desktop/FE
wait mv -f “/var/opt/BESClient/__BESData/actionsite/__Download/agent_config.json” "/Desktop/FE"
wait mv -f “/var/opt/BESClient/__BESData/actionsite/__Download/xagt-30.19.3-1.el7.x86_64.rpm” "/Desktop/FE"
wait sudo rpm -ihv /Desktop/FE/xagt-30.19.3-1.el7.x86_64.rpm
wait sudo /opt/fireeye/bin/xagt -i agent_config.json
wait sudo service xagt start

I am challenged with Linux administration and so far have not been to get any success with this.

Any help would be greatly appreciated.

Thanks

diwanker · October 31, 2019, 2:24am

Below is the Install instructions provided by Mandiant.

Installation (Linux RHEL/CentOS)
The agent .run file is used to manually install the agent on an endpoint running Red Hat Enterprise Linux (RHEL)
versions 6.8, 7.2, or 7.3. The agent .rpm files are used to perform a single or bulk deployment of the agent
software to Linux endpoints running RHEL versions 6.8, 7.2, or 7.3.
Follow the steps below to install the FireEye Endpoint agent on a Linux endpoint:
NOTE: STEPS 3 THROUGH 5 REQUIRE SUDO ACCESS
8. Place the FireEye Endpoint .tgz package in a directory named FireEye on the Linux Endpoint’s
Desktop
9. Use the tar zxf command to unzip the FireEye Endpoint agent .tgz package
username@localhost:~/Desktop/FireEye$ tar zxf IMAGE_HX_AGENT_LINUX_X.X.X.tgz
10. Use the -ihv option to run the appropriate .rpm script and install the agent on your Linux endpoint
username@localhost:~/Desktop/FireEye$ sudo rpm -ihv xagt-X.X.X-1.el.x86_64
a. The .rpm file automatically detects the version of RHEL currently running on the endpoint. If the
.rpm file is not compatible with the RHEL version running on the endpoint, an error message
appears.
b. You must run the .rpm file that is compatible with your Linux environment. If your Linux
endpoints are currently running RHEL version 6.8, run the .rpm file xagt-X.X.X-
1.el6.x86_64.rpm. If your Linux endpoints are running RHEL versions 7.2 or 7.3, run .rpm file
xagt-X.X.X-1.el7.x86_64.rpm.
11. After the .rpm installation script is complete, use the -i option to import the agent configuration file from
the /opt/fireeye/bin/xagt binary path:
username@localhost:~/Desktop/FireEye$ sudo /opt/fireeye/bin/xagt -I agent_config.json
12. Start the agent services on your Linux endpoint using one of the commands below:
For endpoints running RHEL 6.8
username@localhost:~/Desktop/FireEye$ sudo service xagt start
For endpoints running RHEL 7.2 or 7.3
username@localhost:~/Desktop/FireEye$ sudo systemctl start xagt
13. Use the following commands to verify that the service is running on RHEL 6.8, or 7.3 & 7.3 respectively:
username@localhost:~/Desktop/FireEye$ sudo service xagt status
username@localhost:~/Desktop/FireEye$ sudo systemctl start xagt

Manish · October 31, 2019, 3:04am

I think Prabhat has done this recently.
@prabhu490730 - Can you please guide diwamker.