Large number of file events (PFIL) for /usr/lib/dracut/dracut-install after reboot of IPS protected RHEL 8.6 machine

book

Article ID: 241956

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

On RHEL 8.6 system where prevention is enabled and then the system is rebooted a large number of file events (PFIL) may be observed for /usr/lib/dracut/dracut-install program.

Cause

Additional requirement in policy needed

Environment

Symantec Data Center Security Server Advanced (DCS)
DCS Agent version:  6.9.1, 6.9.2
IPS Policy

Resolution

A change to the policy is required, please tune prevention policy like below:

Add the file rules in "Read-Only Resources Lists -> Block modifications to these files" option of 'Default Daemon Sandbox [daemon_stdpriv_ps, ...]' sandbox
Rule 1
     Resource Path - /lib
     Program Path - /usr/lib/dracut/*

Rule 2
     Resource Path - /lib64
     Program Path - /usr/lib/dracut/*