Our Security team are starting to implement security hardening settings where /var filesystem is mounted with noexec (documentation) and as such it has a very bad impact on BigFix which by design operates/executes under /var/opt/BESClient.
I already discussed the official stance of HCL (official KB) and even saw the BigFix.me fixlet to move folder & create symlink back but it just seems a massive hurdle (we are dealing with servers and we essentially need to raise changes that impact 6k servers from their stakeholders and go through changing. That also just adds an extra layer of complexity both from agent troubleshooting prospective, management and even risks (someone deletes the symlink and the agent stops working cause it can’t find its own files).
Anyway, I thought I’d ask if anyone else has faced this? How they overcome it if so?