Linux Hardened Repository - best practices with AntiVirus and MDR/XDR agents

[TimLawhead]

I'm not seeing a reference in the STIG to installing and running Antivirus or Managed Detection Response/Extended Detection Response agents on a Linux Hardened Repository.

My organization has a requirement that all systems be running such agents when on the corporate network and I'm wondering if there's a way to deploy them that still limits the risk to the immutability of the data stored should those agents be compromised or is this just an acceptable risk.

[BackupBytesTim]

I would argue for a hardened system that just shouldn't be necessary, do they require you install your XDR software on your VoIP phones, which are also Linux-based devices (most likely) and are on your network?

In my experience, simplified security policies like "do this everywhere" aren't really applicable today. If you want to use modern software you can't have the same policy for every device. You could potentially de-harden the repository and install the software, but then it's not hardened, sort of defeats the purpose of being a "hardened repository" and just becomes a "repository".

There's no one (most likely) who would guarantee that the hardening is 100% perfect and there is absolutely no chance of unauthorized access to the repository, but the same goes for your security software, do you trust it will catch and prevent 100% of malicious activity and that installing it makes a system absolutely secure? Ultimately it will come down to what you (or your company's management) determines is the most trust-worthy from that perspective. Do you trust Veeam's hardening is more secure than the XDR software, or do you trust the XDR software to be more secure than Veeam's hardening?