Configuring Linux Software Requirements

Perform the following actions to determine if the software requirements are correctly configured:

Verify `auditd` Package

Run either of the following commands to verify `auditd` package is installed and running on the endpoint:

The following screenshot is an example of the service status auditd command:

Output of service auditd command.

If `auditd` is stopped, the EDR module does not receive any events. 

Remove auditctl -a never,task

Events are not generated if the -a never,task exists in the audit configuration files. To verify if the -a never,task exists, perform the following steps:

Disable `auditd` immutable mode

As we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain `syscalls` that are currently not tracked.

Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to `auditd` and reduce the amount of generated `auditd` trail. As a result, we require the kernel audit interface to be mutable. 

If the `auditd` configuration is in immutable mode, it does not allow the Qualys EDR application to add or edit any EDR rules. You should reboot your system to recover from the `auditd` immutable mode.

Perform the following steps to disable `auditd` immutable mode and verify SELinux status:

  1. auditctl -s e 1
    enabled 1 signifies that the audit configuration is immutable, and we need to disable it. 
  2. Reboot your system.

     You should schedule and perform the system reboot in batches. 

  3. Run the `sudo sestatus` command to verify if SELinux is enabled.
  4. If SELinux is enabled, verify the following modules are installed:
    which checkmodule
    which semodule_package
    which semodule

Additional Resources