Linux Prerequisites for Endpoint Detection and Response
Ensure you meet the following requirements while onboarding Linux Cloud Agent for EDR 2.6.0 or later. This section covers the following:
Supported Operating Systems
The following table lists the supported operating systems for architecture x86 and x64::
| OS Distribution | Qualys EDR |
| Amazon Linux 2 |  |
| CentOS Linux 6, and 7 | |
| Debian 9, 10, and 11 | |
| Oracle Enterprise Linux (OEL) 6 | |
| Oracle Enterprise Linux (OEL) 7 and 9 | |
| Red Hat Enterprise Linux (RHEL) 6 | |
| Red Hat Enterprise Linux (RHEL) 7, 8, and 9 | |
| SUSE Linux Enterprise Server (SLES) 12 and 15 | |
| Ubuntu 16, 18, 20, 22 | |
Installation Prerequisites
- Qualys EDR is enabled from the Configuration Profile of the Cloud Agent application.
Linux Hardware Requirements
| Linux Cloud Agent Version | CPU | Memory | Disk Space |
| 6.1.0. and above | 8 Core Processor | 8 GB of RAM | 1024 MB |
Linux Software Requirements
- Root Access - Linux Agent requires sudo or root access.
-
SELinux Configuration - If SELinux is enabled for Enforcing or Permissive mode, install semodule_package, checkmodule, and restorecon. If SELinux is disabled, package installation is not required.
Debian and Ubuntu do not require the SELinux check.
- Configuration Script - The configuration script includes the following service and settings:
- UseAuditDispatcher - If the auditd service is used, the UseAuditDispatcher script value is set to 1. EDR starts the installed auditd service if the service is stopped.
To set the UseAuditDispatcher value to 1:
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh UseAuditDispatcher=1The auditd service is not required if UseAuditDispatcer is set to 0.
- AuditBacklogLimit - This is a recommended setting. By default, the EDR binary is set to 8192. You can change the value as per your requirement.
- EDRCPULimit - By default, the minimum CPU percentage assigned is 5% of the total CPU limit of the asset.
- EDRMemoryLimit - By default, the minimum memory assigned is 5% of the total memory of the asset.
As we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain syscalls that are currently not tracked.
Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to audit and reduce the amount of generated audit trail. As a result, we require the kernel audit interface to be mutable. - UseAuditDispatcher - If the auditd service is used, the UseAuditDispatcher script value is set to 1. EDR starts the installed auditd service if the service is stopped.
