On RHEL 8.6 system where prevention is enabled and then the system is rebooted a large number of file events (PFIL) may be observed for /usr/lib/dracut/dracut-install program.
Symantec Data Center Security Server Advanced (DCS)
DCS Agent version: 6.9.1, 6.9.2
IPS Policy
Additional requirement in policy needed
A change to the policy is required, please tune prevention policy like below:
Add the file rules in "Read-Only Resources Lists -> Block modifications to these files" option of 'Default Daemon Sandbox [daemon_stdpriv_ps, ...]' sandbox
Rule 1
Resource Path - /lib
Program Path - /usr/lib/dracut/*
Rule 2
Resource Path - /lib64
Program Path - /usr/lib/dracut/*