How to protect the license file of ArcSight ESM in the path of Linux installed on?
hard to tell how to protect it, but I think we can monitor this file using linux audit daemon auditd, for example:
auditctl -a exit,always -F path=/opt/arcsight/manager/user/manager/license/arcsight.lic -F perm=rwa
Any way, we need to dig deeper and test it.
It can depend on where you are at just now with locking down your servers.
I would start by getting traceability on the servers, making sure there is no one accessing servers generically (eg logging in as root or arcsight) and delegating the permissions of those users with sudo / su. That way you can monitor who is doing what and when if you have auditing properly configured, usually your servers will be logging which users are using which commands anyway so you shouldn't need to configure anything custom other than making sure those logs are monitored (in ArcSight hopefully).
Once you have that you can look at specific folders or files if you would like in order to look for things like this.
That being said you could always get fancy and use SELinux to protect the file in a more suitable way if it really is a requirement.
Privileged access management is a one of the use cases you absolutely should have across the board in your environment, not just on the ArcSight servers, controlling who can do what and when, which is usually enough to meet this type of requirement.