Qualys Cloud Agent on Fedora Silverblue

In the context of a security certification, i’m most likely going to need to run QualysCloudAgent on my Fedora Silverblue workstation.

It’s provided to me as an rpm which, of course, has no clue of what an immutable OS is and assumes it can modify /usr and so forth.

I’ve tried running it in a toolbox created for this occasion, but it also fails there, as it assumes it can tinker with systemd, install units, restart the daemon etc.

After installing it with sudo rpm -ivh QualysCloudAgent.rpm in the toolbox, there is nothing that i can see that will run.

rpm --query --package --scripts Downloads/QualysCloudAgent.rpm is a whopping 574 lines long and sudo rpm --verify qualys-cloud-agent shows:

.......T.    /etc/qualys/cloud-agent/.centos/qualys-cloud-agent
.......T.    /etc/qualys/cloud-agent/.centos/qualys-cloud-agent-restart
.......T.    /etc/qualys/cloud-agent/.systemd/qualys-cloud-agent.service
.......T.  c /etc/qualys/cloud-agent/edr-plugin.conf
S.5....T.  c /etc/qualys/cloud-agent/qualys-cloud-agent.conf

sudo cat /etc/qualys/cloud-agent/.systemd/qualys-cloud-agent.service:

[Unit]
Description=Qualys cloud agent daemon
After=network.service

[Service]
EnvironmentFile=-/etc/environment
EnvironmentFile=-/etc/default/qualys-cloud-agent
EnvironmentFile=-/etc/sysconfig/qualys-cloud-agent
ExecStart=/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent
Restart=on-failure
RestartSec=60s
TimeoutStopSec=90s

[Install]
WantedBy=multi-user.target

Does anyone have any experience with this? Any clues? I don’t really want to give the tool complete access to my system, though of course i get that that’s what it expects.

So you already tried to layer it with no success?

You can try to use a rootful Distrobox. Layer distrobox, create with distrobox create --root

Thanks @boredsquirrel. I haven’t tried to layer it, but was rather hoping to avoid doing that. I’ll give it a shot.

I have distrobox already installed / layered, so that’s also a neat option. Thanks.
edit: ah well distrobox create --root --image fedora:40 gave me a distrobox that has no systemctl, so that’s not going to help.
distrobox create --root --image fedora-toolbox-40 gives me a environment with systemctl, but:

Running in chroot, ignoring command 'daemon-reload'
Running in chroot, ignoring command 'start'

Looks like layering might be the only option.

1 Like

Just tried to install the rpm as a layered package using rpm-ostree:
sudo rpm-ostree install ./Downloads/QualysCloudAgent.rpm:

Checking out tree 981dca0... done
Enabled rpm-md repositories: updates fedora rpmfusion-free-updates rpmfusion-free rpmfusion-nonfree-updates rpmfusion-nonfree fedora-cisco-openh264 fedora-cisco-openh264-debuginfo updates-archive
Importing rpm-md... done
rpm-md repo 'updates' (cached); generated: 2024-09-20T01:52:00Z solvables: 26893
(…)
Resolving dependencies... done
Relabeling... done
Applying 5 overrides and 341 overlays
Processing packages... done
error: Checkout qualys-cloud-agent-6.4.0-45.x86_64: opendir(local): No such file or directory

No luck.

1 Like

You will likely have to dig into the scripts included in the RPM to figure out what they are (incorrectly) doing.

1 Like

Also the obvious note: rpm-ostree doesnt need sudo :slight_smile:

Yes theoretically you could also install it on a secondary regulat fedora install and monitor what files are changed. (Is there any good tool for that?)

Then package a new RPM where all those files are included where they should be and it should work.

There is a tool that allows to create RPMs from a directory with all it’s subdirectories.

The bottlened of rpm-ostree UX really just is the ability to place whatever files you need, by packaging them into RPMs.


Before that you can also ask the devs to create a regular “static” RPM that just contains all the files, no dynamic script which breaks on Fedora Atomic Desktops, Fedora IoT, Fedora coreOS, CentOS Stream bootc and RHEL bootc too.

So this really is an important change that will be more required in the future.