How To
Summary
QRadar EDR (formerly ReaQTa): Installing ReaQta agents on immutable Linux operating systems
Objective
Due to how QRadar EDR works, there are different steps for installing it on immutable Linux operating systems, such as Fedora Silverblue or Vanilla OS. These changes are because as immutable operating systems, the core of the system is not configurable in the same manner as other distributions. This behaviour is to prevent unwanted changes to the OS, and is often used in scenarios where the OS isn't expected to change much, such as IOT devices or say, in schools.
As QRadar EDR relies on making these changes, different steps are required to allow for the installation of packages and the agent.
For more information on Fedora Silverblue, view their documentation: Fedora Silverblue User Guide
Environment
This technote specifically covers the installation of the QRadar EDR agent 0.70.0, on Fedora Silverblue 36.
Steps
- Though not required, it is recommended that an upgrade is performed on the OS for the latest general packages by using the sudo rpm-ostree upgrade command
- Following the upgrade, install the required dependencies for the QRadar EDR agent by using sudo rpm-ostree install gcc elfutils-libelf-devel kernel-devel-$(uname -r) kernel-devel make
- Set the QRadar EDR agent hostname, port, group_IDs, and proxy settings as needed, and then install the agent itself with the following command: sudo RQTPARAMS="https://<URL>:<PORT> --gids <group_IDs>" --proxy http://<proxy>:<proxy port>" rpm-ostree install <installer>.rpm
- Where the following URL, Port refers to the Hive URL and port.
- (Optional) Proxy and proxy port are the respective proxy urls and ports.
- (Optional) group_IDs refer to the groups the agent be attached to.
- The <installer>.rpm file refers to the hive installer file, in this case hive-installer-0.70.0-x86_64.rpm
- The new package layer is available but not active. Once those installation steps are complete, a reboot is required to activate the new layer.
Additional Information
Currently, installing the QRadar EDR agent by using Toolbox is not supported and does not work.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSZAA2","label":"Agent-\u003EInstallation-\u003ELinux"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
11 May 2023
UID
ibm16956535