The issue is that RSA QE does not test any AM software or AM appliance operations with ChangeGuardian Security Agent for UNIX installed, therefore it is not supported. That does not mean it won't work, it means that if you run into a problem, RSA Engineering will ask you to remove the ChangeGuardian Agent software and reproduce your problem on a supported platform.
The AM appliance is a hardened security device with a very low security profile, limited software, all RSA software is downloaded from RSA Link using your customer credentials, all software updates come with Digital signatures. Therefore RSA would argue that we have the means to control changes on the appliance. SSH access is disabled by default, but even when enabled, we see several customers make one or two acceptable changes or modifications to the Appliance and SSH access:
1. They install the RSA AM PAM agent for Suse Linux and require Two Factor Authentication for SSH access
2. They add additional Linux UserIDs to track multiple Administrators who access SSH, often with complex vaulted passwords
Having said this, you as the customer have to decide which risk is acceptable to you and your appliance. If you install this ChangeGuardian software, you want to minimize your risk of an unsupported platform, testing and documenting, etc... Possibly seeking advice from other customers who may have tried this via RSA Link postings (which I guess you are doing here 😉
Just be aware that there is risk in modifying your AM appliance, which is why you want to first consider the supported methods of locking down your appliance.
