Thanks for the suggestion. We'll need to go the IPS route to implement a self-protection mechanism for the DCS agent. Also, SEP does not have an IPS feature currently available in 12.1.x that can be applied to Linux endpoints.
What policy should be used to harden Linux? I see two options:
- sym_unix_protection_sbp
- sym_unix_targeted_prevention_sbp
I take it that the Unix protection will be similar to a Windows strict prevention policy and will require a lot of time and effort in monitoring mode along with correlation from multiple teams in order to fully test to ensure nothing breaks when prevention is enabled. This is quite a different implementation to signature based Host-IPS solutions. I certainly have reservations about preventing a superuser from doing there day-to-day activities. What would you suggest in order to roll something out that has a good baseline for Linux servers that can be deployed in a timely fashion?