Perform the following actions to determine if the software requirements are correctly configured:
`auditd`
PackageRun either of the following commands to verify `auditd`
package is installed and running on the endpoint:
sudo systemctl status auditd
service status auditd
The following screenshot is an example of the service status auditd
command:
If `auditd`
is stopped, the EDR module does not receive any events.
auditctl -a never,task
Events are not generated if the -a never,task
exists in the audit configuration files. To verify if the -a never,task
exists, perform the following steps:
/etc/audit/audit.rules
and /etc/audit/rules.d/audit.rules
-a never,task
service qualys-cloud-agent-restart
man auditctl
`auditd`
immutable modeAs we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain `syscalls` that are currently not tracked.
Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to `auditd` and reduce the amount of generated `auditd` trail. As a result, we require the kernel audit interface to be mutable.
If the `auditd` configuration is in immutable mode, it does not allow the Qualys EDR application to add or edit any EDR rules. You should reboot your system to recover from the `auditd` immutable mode.
Perform the following steps to disable `auditd`
immutable mode and verify SELinux status:
auditctl -s e 1
You should schedule and perform the system reboot in batches.
`sudo sestatus`
command to verify if SELinux is enabled.which checkmodule
which semodule_package
which semodule
policycoreutils-python
policycoreutils
libselinux-utils
yum install policycoreutils-python
For SUSE, use the Zypper repo.
Was this topic helpful?