Need Suggestion for disabling access protection on Linux servers in McAfee ENS Threat Protection
Hello fellow community members,
We have observed multiple access protection threat events being raised which pretty much seems false positive. The Threat name appears to be "IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX". Whats happening is a process namely ossec-syscheckd(in this particular case), or any other process is trying to access a startup/configuration file, as a result one of the default rule about start-up file is being triggered and an incident is generated.
Can we disable the it , How much is a risk in disabling those default access protection rules on Linux servers, if there is at all?