IBM Support

QRadar EDR (formerly ReaQTa): Installing QRadar EDR agents on immutable Linux operating systems

How To


Summary

QRadar EDR (formerly ReaQTa): Installing ReaQta agents on immutable Linux operating systems

Objective

Due to how QRadar EDR works, there are different steps for installing it on immutable Linux operating systems, such as Fedora Silverblue or Vanilla OS. These changes are because as immutable operating systems, the core of the system is not configurable in the same manner as other distributions. This behaviour is to prevent unwanted changes to the OS, and is often used in scenarios where the OS isn't expected to change much, such as IOT devices or say, in schools.
As QRadar EDR relies on making these changes, different steps are required to allow for the installation of packages and the agent.
For more information on Fedora Silverblue, view their documentation: Fedora Silverblue User Guide

Environment

This technote specifically covers the installation of the QRadar EDR agent 0.70.0, on Fedora Silverblue 36.

Steps

  1. Though not required, it is recommended that an upgrade is performed on the OS for the latest general packages by using the sudo rpm-ostree upgrade command
  2. Following the upgrade, install the required dependencies for the QRadar EDR agent by using  sudo rpm-ostree install gcc elfutils-libelf-devel kernel-devel-$(uname -r) kernel-devel make
  3. Set the QRadar EDR agent hostname, port, group_IDs, and proxy settings as needed, and then install the agent itself with the following command: sudo RQTPARAMS="https://<URL>:<PORT> --gids <group_IDs>" --proxy http://<proxy>:<proxy port>" rpm-ostree install <installer>.rpm
    • Where the following URL, Port refers to the Hive URL and port.
    • (Optional) Proxy and proxy port are the respective proxy urls and ports.
    • (Optional) group_IDs refer to the groups the agent be attached to.
    • The <installer>.rpm file refers to the hive installer file, in this case hive-installer-0.70.0-x86_64.rpm
  4. The new package layer is available but not active. Once those installation steps are complete, a reboot is required to activate the new layer.

Additional Information

Currently, installing the QRadar EDR agent by using Toolbox is not supported and does not work.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSZAA2","label":"Agent-\u003EInstallation-\u003ELinux"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
11 May 2023

UID

ibm16956535

Page Feedback