Configuring Linux Software Requirements
Perform the following actions to determine if the software requirements are correctly configured:
Verify `auditd`
Package
Run either of the following commands to verify `auditd`
package is installed and running on the endpoint:
sudo systemctl status auditd
service status auditd
The following screenshot is an example of the service status auditd
command:
If `auditd`
is stopped, the EDR module does not receive any events.
Remove auditctl -a never,task
Events are not generated if the -a never,task
exists in the audit configuration files. To verify if the -a never,task
exists, perform the following steps:
- Run the commands
/etc/audit/audit.rules
and/etc/audit/rules.d/audit.rules
- If it exists, remove the rule
-a never,task
- Restart the Qualys Cloud Agent Service:-
service qualys-cloud-agent-restart
For more information, run the commandman auditctl
Disable `auditd`
immutable mode
As we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain `syscalls` that are currently not tracked.
Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to `auditd` and reduce the amount of generated `auditd` trail. As a result, we require the kernel audit interface to be mutable.
If the `auditd` configuration is in immutable mode, it does not allow the Qualys EDR application to add or edit any EDR rules. You should reboot your system to recover from the `auditd` immutable mode.
Perform the following steps to disable `auditd`
immutable mode and verify SELinux status:
auditctl -s e 1
enabled 1 signifies that the audit configuration is immutable, and we need to disable it.- Reboot your system.
You should schedule and perform the system reboot in batches.
- Run the
`sudo sestatus`
command to verify if SELinux is enabled. - If SELinux is enabled, verify the following modules are installed:
which checkmodule
which semodule_package
which semodule
- In case of missing commands or utilities install the following packages:
policycoreutils-python
policycoreutils
libselinux-utils
For example,yum install policycoreutils-python
For SUSE, use the Zypper repo.
Related Articles and Videos