Linux Prerequisites for Endpoint Detection and Response

Ensure you meet the following requirements while onboarding Linux Cloud Agent for EDR 2.6.0 or later.

Supported Operating Systems

The following table lists the supported operating systems for architecture x86 and x64:

OS Distribution Qualys EDR
Amazon Linux 2
CentOS Linux 6, and 7
Debian 9, 10, and 11
Oracle Enterprise Linux (OEL) 6
Oracle Enterprise Linux (OEL) 7 and 9
Red Hat Enterprise Linux (RHEL) 6
Red Hat Enterprise Linux (RHEL) 7, 8, and 9
SUSE Linux Enterprise Server (SLES) 12 and 15
Ubuntu 16, 18, 20, 22

Installation Prerequisites

  • Qualys EDR is enabled from the Configuration Profile of the Cloud Agent application.

    Enable EDR toggle from the Configuration Profiles.

Linux Hardware Requirements

Linux Cloud Agent Version CPU Memory Disk Space
6.1.0. and above 8 Core Processor 8 GB of RAM 1024 MB

Linux Software Requirements

  • Root Access - Linux Agent requires sudo or root access. 
  • SELinux Configuration - If SELinux is enabled for Enforcing or Permissive mode, install semodule_package, checkmodule, and restorecon. If SELinux is disabled, package installation is not required.

    Debian and Ubuntu do not require the SELinux check.

  • Configuration Script - The configuration script includes the following service and settings:
    • UseAuditDispatcher - If the auditd service is used, the UseAuditDispatcher script value is set to 1. EDR starts the installed auditd service if the service is stopped.

      To set the UseAuditDispatcher value to 1:

      /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh UseAuditDispatcher=1

      The auditd service is not required if UseAuditDispatcer is set to 0. 

    • AuditBacklogLimit - This is a recommended setting. By default, the EDR binary is set to 8192. You can change the value as per your requirement.
    • EDRCPULimit - By default, the minimum CPU percentage assigned is 5% of the total CPU limit of the asset.
    • EDRMemoryLimit - By default, the minimum memory assigned is 5% of the total memory of the asset. 

    As we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain syscalls that are currently not tracked.

    Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to audit and reduce the amount of generated audit trail. As a result, we require the kernel audit interface to be mutable.