1. home icon for breadcrumbs >
  2. Known Issues

Known Issues

The following are some known issues/limitations for the Qualys Cloud Agent for Linux.

  • FIM rules displayed using the command auditctl do not show system calls. The rules work successfully even though system calls are not seen.
  • You can not set the full directory path while configuring the FIM profile. You can set the limited path in the Rule Details from Application List—FIM > Configuration > Profiles.

    Use Case: If you have a file (for example, a file with filename) under directory /root/test/directoryname, and if you delete directoryname, audit system does not provide the correct file path.

    In that case, the file present with /root/test/directoryname/filename is considered as /root/test/filename by fimc process.
  • Audit rules should not have rules to exclude EOE and CWD audit records in order to parse an event in a Cloud Agent. You need to restart your agent after removing these rules.
  • If you have created an FIM config profile with a rule to rename a directory or file, the rename event with the mv command does not work for CentOS 7.6.1810, Red Hat Enterprise Linux 7.6, and Amazon Linux 2.
  • Cloud Agent with version 3.0 or later terminates when you configure an invalid sudo command using qualys-cloud-agent.sh script or HostID file has insufficient permissions.
  • If the remediation manifest is received during polling before clone detection, it is executed by both agents (master agent and cloned agent). If the clone machine acknowledges the manifest before the master starts polling, the master agent does not receive the remediation manifest, but the status is updated as per the status reported by the clone instance.
  • The remediation manifest fails to execute if you switch from root to a non-sudo user while execution is in progress. You must execute the remediation manifest with the root user.
  • For the Debian-based systems, software installedDate is always shown as 1970-01-01 as these systems do not save the date in their package database. Therefore, the cloud agent cannot capture the date, and it is shown default as 1970-01-01.
  • For the SUSE 15 SP4 system, the audit.service file contains the protectSystem=full parameter. This parameter sets the read-only access to all the sensitive folders and prohibits the creation of socket files. You can use/add the ReadWritePaths parameter in the audit.service file to select the files to give read-write permissions. When you add ReadWritePaths=/usr/local/qualys/ in the /usr/lib/systemd/system/auditd.service file, the required socket files are created. Restart the auditd service and cloud agent service to run the EDR process.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.