Skip to main content

Bitdefender Endpoint Security Tools for Linux quick start guide

Requirements

For more information on BEST for Linux installation requirements, refer to security agent requirements on Linux.

Hardware requirements

Configure the guest operating systems where you are deploying BEST as follows:

General

Resource

Minimum

Recommended

Processor

2 vCPUs

4 vCPUs

Memory (RAM)

4 GB RAM

6 GB RAM

Free Disk Space

2.5 GB (up to 4 GB disk with debug logs enabled)

4 GB

Public Cloud

Cloud Service Provider (CSPs)

Minimum (instance type)

Recommended (instance type)

Amazon Web Services (AWS)

T2 medium

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Microsoft Azure

Standard B2s

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Google Cloud Platform (GCP)

E2-medium or E2-standard-2

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Supported distributions

Fully Supported Linux Modern Distributions

Distribution 

Architecture

Kernel Versions

Cloud Platform Availability

RPM-based

RHEL 7.x

64bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

RHEL 8.x

64bit

4.18.0.x

AWS, AZURE, GCP

RHEL 9.x

64bit

5.14.0.x

AWS

Oracle Linux 7.x UEK

64bit

4.18.0.x

AWS, AZURE

Oracle Linux 7.x RHCK

64bit

3.10.0.x (starting from build 957)

AWS, AZURE

Oracle Linux 8.x UEK

64bit

5.4.17.x / 5.15.0.x

AWS

Oracle Linux 8.x RHCK

64bit

4.18.0.x

AWS

Oracle Linux 9.x UEK

64bit

5.15.0.x

AWS

Oracle Linux 9.x RHCK

64bit

5.14.0.x

AWS

CentOS 7.x

32bit, 64bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

CentOS 8 Stream

64bit

4.18.0.x

AWS, AZURE, GCP

CentOS 9 Stream

64bit

5.14.0.x

AWS, AZURE, GCP

Fedora 36 - 38

64bit

Supported until it expires.

AWS

AlmaLinux 8.x

64bit

4.18.0.x

AWS, AZURE, GCP

AlmaLinux 9.x

64bit

5.14.0.x

AWS

Rocky Linux 8.x

64bit

4.18.0.x

AWS, AZURE, GCP

Rocky Linux 9.x

64bit

5.14.0.x

AWS, AZURE, GCP

CloudLinux 7.x

64bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

CloudLinux 8.x

64bit

4.18.0.x

AWS, AZURE, GCP

Miracle Linux 8.x

64bit

4.18.0.x

Kylinv10 RHEL

64bit

4.19.90.x

Debian-based

Debian 9

32bit, 64bit

4.9.0.x

AWS, AZURE, GCP

Debian 10

32bit, 64bit

4.19.x

AWS, AZURE, GCP

Debian 11

32bit, 64bit

5.10.x

AWS, AZURE, GCP

Debian 12

64bit

6.1.0.x

Ubuntu 16.04.x

32bit, 64bit

4.8.x / 4.10.x / 4.13.x / 4.15.x

AWS, AZURE, GCP

Ubuntu 18.04.x

64bit

5.0.x / 5.3.x / 5.4.x

AWS, AZURE, GCP

Ubuntu 20.04.x

64bit

5.4.x / 5.8.x / 5.11.x / 5.13.x / 5.15.x

AWS, AZURE, GCP

Ubuntu 22.04.x

64bit

5.15.x / 5.19.x

AWS, AZURE, GCP

Ubuntu 23.04.x

64bit

6.2.0.x

AWS, AZURE, GCP

PopOS 22.04.x

64bit

6.2.6.x

AWS, AZURE, GCP

Pardus 21

64bit

5.10.0.x

Mint 20.x

64bit

5.4.0.x

Mint 21.x

64bit

5.15.0.x

SUSE-based

SLES 12 SP4 

64bit

4.12.14-x

AWS

SLES 12 SP5

64bit

4.12.14-x

AWS, AZURE, GCP

SLES 15 SP1 

64bit

4.12.14-x

AWS, AZURE

SLES 15 SP2

64bit

5.3.18-x

AWS, AZURE, GCP

SLES 15 SP3

64bit

5.3.18-x

AWS, AZURE, GCP

SLES 15 SP4

64bit

5.14.21.x

AWS, AZURE, GCP

SLED 15 SP4

64bit

5.14.21.x

openSUSE Leap 15.2-15.4

64bit

5.3.18 / 5.14.x

AWS

Cloud-based

AWS Bottlerocket 2020.03

64bit

5.4.x / 5.10.x

AWS

Amazon Linux v2

64bit

4.14.x / 4.19.x / 5.10

AWS

Amazon Linux 2023

64bit

6.1.0.x

AWS

Google COS Milestones 77, 81, 85

64bit

4.19.112 / 5.4.49 

GCP

Azure Mariner 2

64bit

5.15.x

AZURE

Fully Supported Linux Modern Distributions for ARM architecture

Distribution

Kernel versions

Cloud Platform Availability

RPM-based

RHEL 8.x

4.18.0-x

AZURE

RHEL 9.x

5.14.x

GCP, AZURE, AWS

AlmaLinux 9.x

5.14.x

AZURE

Rocky Linux 9.x

5.14.x

GCP, AZURE, AWS

Debian-based

Debian 11

5.10.x/6.1.x

GCP, AZURE, AWS

Ubuntu 20.04.x

5.15.x

GCP, AZURE, AWS

Ubuntu 22.04.x

5.15.x/5.19.x

GCP, AZURE, AWS

SUSE-based

SLES 15 SP4

5.14.21-x

GCP, AZURE, AWS

openSUSE Leap 15.4

5.14.21-x

AZURE

Cloud-based only

Amazon Linux v2

5.10.x

AWS

Amazon Linux 2023

6.1.x

AWS

Supported Linux Legacy Distributions

Distro 

Architecture

Kernel Versions

RPM-based

RHEL 6.10

32bit, 64bit

2.6.32-754

CentOS 6.10

32bit, 64bit

2.6.32-754

Oracle Linux 6.10 UEK

64bit

4.1.12-124

Amazon Linux v1 2018.03

64bit

4.14.x

Debian-based

Ubuntu 14.04 LTS

32bit, 64bit

4.4

Ubuntu 16.04.x

32bit, 64bit

4.15

Software requirements

GravityZone requirements

BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.

Additional software requirements

  • On-access scanning is available for supported operating systems as follows:

    • Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.

    • Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.

  • You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.

Licensing

Linux operating systems are considered Server operating systems by Bitdefender agent and will use server license seats from your pool of licenses.

Although deploying the software has no direct license requirement, depending on your license some functionality might not be available. For protection layers availability refer to Features by endpoint type.

Installing

For additional information on installing BEST for Linux refer to Install security agents - standard procedure.

There are several options to install BEST on a Linux machine:

  1. An installation task from the GravityZone Control Center > Network inventory section.

  2. Manual installation via a installation package downloaded from the Control Center.

    Example:

    1. Go to Network > Packages and select the install package to be downloaded.

    2. Select Send Download Links to expand the provided links.

    3. Copy the Linux string and paste it into the shell on your target endpoint to download the installation package.

    4. Unpack the installation file:

      # tar -xvf setup_downloader.tar
    5. Change permissions to the installation file so that you can execute it:

      # chmod +x installer
    6. Run the installation file:

      # ./installer

To check that the agent has been installed on the endpoint, run this command:

$ systemctl status bdsec*

Scanning

Bitdefender Endpoint Security Tools for Linux provides on-access scanning for a number of preconfigured system directories.

To review this list or add other directories to be scanned, use the following steps:

  1. Choose a policy from the Control Center Policies page.

  2. Go to the Antimalware > On-Access section.

  3. Next to On-access Scanning, click Settings.

  4. Click Advanced.

  5. Configure which folders the agent should scan constantly.

Additionally, you can schedule Full / Custom / Quick Scan tasks by using these steps:

  1. Choose a policy from the Control Center Policies page.

  2. Go to the Antimalware > On-Demand section.

  3. Click the +Add button.

  4. Select a scan type. With the Custom Scan type you can configure scan options and folders to be scanned in detail.

  5. Configure the scan task scheduling options as needed.

  6. Configure scan options and target as needed.

  7. Click the Save button.

To manually scan Linux endpoints:

  • Run the task from the Control Center Network inventory, by right-clicking the target machine and selecting Tasks > Scan.

  • Start the scan task locally using the command line interface. For more information, refer to Scanning for malware.

Troubleshooting

You can check Bitdefender Endpoint Security Tools services by running the following commands:

Check services status:

bd status

Start service

bd start

Stop services:

bd stop

Restart bd:

bd restart

Other commands:

To detect any system proxy:

/opt/bitdefender-security-tools/bin/bdconfigure getsystemproxy

To check all of the versions that were previously installed on the machine as well as the current one, open vhist.dat:

/opt/bitdefender-security-tools/etc/vhist.dat

Deploying EDR using Linux AuditD

Note

We recommend this method to be used only when neither KProbes nor eBPF methods are not available. The AuditD subsystem was not designed to be used in this manner and may cause increased CPU usage.

When deploying EDR using Linux AuditD, BEST for Linux automatically modifies several specific files. These changes ensure that AudtiD will perform on par with previously available methods. The changes are specified below:

Note

Make sure you have AuditD installed on your endpoint before deploying the EDR module.

  • /etc/audit/rules.d/

    • BEST will backup all files from /etc/audit/rules.d/ (for example, /etc/audit/rules.d/audit.rules will become /etc/audit/rules.d/audit.rules.bak).

    • BEST will create a rules file: /etc/audit/rules.d/bd_ausecd.rules.

    • BEST will restart the auditd service, which includes regenerating /etc/audit/audit.rules from /etc/audit/rules.d/*.rules.

    • When EDR is disabled or BEST is stopped, /etc/audit/rules.d/bd_ausecd.rules will be removed and backed-up files will be restored.

  • /etc/default/auditd

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/default/auditd to /etc/default/auditd.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/default/auditd.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/sysconfig/auditd

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/sysconfig/auditd to /etc/sysconfig/auditd.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/sysconfig/auditd.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/audit/auditd.conf

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/audit/auditd.conf to /etc/audit/auditd.conf.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/audit/auditd.conf.

    • When EDR is disabled (or BEST is stopped), file content will be restored to previous state.

  • /lib/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /lib/systemd/system/auditd.service to /lib/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /lib/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /usr/lib/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /usr/lib/systemd/system/auditd.service to /usr/lib/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /usr/lib/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • When BEST enables the audit backend for the first time, it will backup /etc/systemd/system/auditd.service to /etc/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • If the file does not exist, a dummy backup will be created: /etc/systemd/system/auditd.service.bak-missing.

    • If the file exists, its contents will be copied to /etc/systemd/system/auditd.service.bak.

    • BEST will copy the modified file /lib/systemd/system/auditd.service (or /usr/lib/systemd/system/auditd.service, depending on the distro according to the table below) to /etc/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state from /etc/systemd/system/auditd.service.bak (or deleted, if only auditd.service.bak-missing exists).

OS

Version

Changes performed

Alma Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost = -/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Alma Linux v1

X86

N/A

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Alma Linux v2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Centos 6

X86

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Centos 7

X86

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Centos 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Cloud Linux 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Cloud Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conffile and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Debian 9

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Debian 10

x86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Debian 11

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Fedora 31

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Fedora 34

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Linux Mint 20.3

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Miracle Linux 8.4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

OpenSUSE 15.2

X86

N/A

X86

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Oracle 6

X86

N/A

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Oracle 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Oracle 8

X86

N/A

X64

Edits the /etc/audit/auditd.con file and sets log_format to NOLOG.

Pardus 21

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

RHEL 6

X86

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

RHEL 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

RHEL 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Rocky Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

SLES 12 SP4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 12 SP5

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP3

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

SLES 12 SP4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 12 SP5

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Ubuntu 14.04

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copy /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

Ubuntu 16.04

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

Ubuntu 18.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 20.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 21.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 21.10

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Warning

EDR requests information from the operating system that is not available via the AuditD subsystem. Expect a decreased detection rate.