Antonyma,
Agree with Alex_CST to use the core unix config. When you apply the policy, understand that tuning it is an iterative process:
1. Apply policy in "Prevention Disabled" mode
2. Evaluate events returned in the console and make decisions whether to allow or deny the activity
3. If allowed, tune the policy and reapply in "Prevention Disabled" mode
4. Return to step 1 and repeat until you no longer see events associated with normal operation of the server
5. Turn on prevention
Please bear in mind that this is not a trivial process and can take a substantial amount of time and effort. Your most efficient strategy may be to bring in consultative help to speed you along the way and provide advice gathered over years worth of implementations. Please don't hesitate to reach out if you need additional assistance.
Chris Tyrrell
Conventus Corp
ctyrrell@conventus-sei.com