When there is a business requirement to have File Integrity Monitoring (o/s hardening) for PCI.

Are there any recommendations for installing FIM agents on DLP servers or concerns?

The intention is to install FIM agent (E.g. Symantec DCS) on all DLP servers (Enforce, Detection, OCR servers) to be compliant as supporting control for PCI.

It’s recommended to exclude all DLP install directory folders (installation and log, both) from the FIM policy.

Why? Indexes get updated, temporary files are generated, Incidents get generated, shipped, queued, and logs files get updated - all file operations that may be continuously flagged by a misconfigured FIM agent or policy.

Additionally, a misconfigured FIM policy may cause Symantec DLP upgrades to fail if 'tamper proofing' type restrictions are turned ON within FIM Policy/Agents.

This article on recommended AV exclusions for Symantec DLP servers should have most of the DLP install directories which one can use as a basis for your FIM program policy exclusions:

https://knowledge.broadcom.com/external/article/160017/antivirus-flagging-symantec-data-loss-pr.html