Linux Prerequisites for Endpoint Detection and Response
Ensure you meet the following requirements while onboarding Linux Cloud Agent for EDR 2.6.0 or later.
Supported Operating Systems
The following table lists the supported operating systems for architecture x86 and x64:
OS Distribution | Qualys EDR |
Amazon Linux 2 | ![]() |
CentOS Linux 6, and 7 | ![]() |
Debian 9, 10, and 11 | ![]() |
Oracle Enterprise Linux (OEL) 6 | ![]() |
Oracle Enterprise Linux (OEL) 7 and 9 | ![]() |
Red Hat Enterprise Linux (RHEL) 6 | ![]() |
Red Hat Enterprise Linux (RHEL) 7, 8, and 9 | ![]() |
SUSE Linux Enterprise Server (SLES) 12 and 15 | ![]() |
Ubuntu 16, 18, 20, 22 | ![]() |
Installation Prerequisites
- Qualys EDR is enabled from the Configuration Profile of the Cloud Agent application.
Linux Hardware Requirements
This section outlines the minimum hardware requirements for Linux EDR/EPP, which are consistent across all supported Linux agent versions and are not tied to any specific agent release.
To effectively minimize the risk of high CPU or memory utilization and ensure optimal performance of your Linux EDR/EPP, you must install the Linux Agent on systems that meet or exceed the recommended hardware specifications.
Adhering to these specifications is essential for ensuring stable and reliable performance.
Recommended Configuration
Linux Cloud Agent Version | CPU | Memory | Disk Space |
6.1.0. and above | 8 Core Processor | 8 GB of RAM | 1024 MB |
The CPU and memory usage thresholds for EDR are configurable and operates effectively only on systems with 8 or more CPU cores.
Supported Configuration
Linux Cloud Agent Version | CPU | Memory | Disk Space |
6.1.0. and above | 4 Core Processor | 4 GB of RAM | 1024 MB |
The workload of an asset greatly influences the performance of an Endpoint Detection and Response system.
For example, a 2-core system running a light workload, such as a POS terminal, can perform adequately in static environments. Similarly, a 4-core system can support EDR when operating under minimal system load in these stable conditions.
However, systems with dynamic workloads, like web servers or CI/CD environments, typically require higher specifications to prevent performance bottlenecks.
Linux Software Requirements
- Root Access - Linux Agent requires sudo or root access.
-
SELinux Configuration - If SELinux is enabled for Enforcing or Permissive mode, install semodule_package, checkmodule, and restorecon. If SELinux is disabled, package installation is not required.
Debian and Ubuntu do not require the SELinux check.
- Configuration Script - The configuration script includes the following service and settings:
- UseAuditDispatcher - If the auditd service is used, the UseAuditDispatcher script value is set to 1. EDR starts the installed auditd service if the service is stopped.
To set the UseAuditDispatcher value to 1:
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh UseAuditDispatcher=1The auditd service is not required if UseAuditDispatcer is set to 0.
- AuditBacklogLimit - This is a recommended setting. By default, the EDR binary is set to 8192. You can change the value as per your requirement.
- EDRCPULimit - By default, the minimum CPU percentage assigned is 5% of the total CPU limit of the asset.
You can customize this limit using the command provided below:
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh EDRCPULimit=10
- EDRMemoryLimit - By default, the minimum memory assigned is 5% of the total memory of the asset.
You can customize this limit using the command provided below:
/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh EDRMemoryLimit=10
As we continue to improve or optimize our EDR agent, we may push new rules to audit with every new configuration update or binary release. For example, to enhance detection capabilities, shortly, we will start monitoring certain syscalls that are currently not tracked.
Similarly, there are other optimization use cases for which we will dynamically add exclusion filters to audit and reduce the amount of generated audit trail. As a result, we require the kernel audit interface to be mutable. - UseAuditDispatcher - If the auditd service is used, the UseAuditDispatcher script value is set to 1. EDR starts the installed auditd service if the service is stopped.