First, nice work with the detailed descriptions and screen captures. Very helpful. Should've mentioned it earlier.
TL;DR - It's unclear to me if the system in question is a VM or a container. Elastic Endpoint requires tracefs (or debugfs) to be mounted in order to enable event sources. Since containers share a single kernel space and tracefs is a kernel component, installing Elastic Endpoint in a container is unsupported. Installing Elastic Endpoint on a VM is supported, however.
Based on the included policy results, Elastic Endpoint is failing to apply policy because it cannot enable the event data sources.
For this kernel, Elastic Endpoint uses read-only kprobes installed using the tracefs (formerly debugfs) filesystem as event data sources. Here's a Linux kernel documentation link for the curious.
In older kernels, 4.0 and older, tracing was provided by debugfs. Since then, tracing has been moved out into a separate file system, tracefs, for security reasons. Here's StackOverflow link about it.
The path I asked you to check, /sys/kernel/debug/tracing/kprobe_events, exists for backwards compatibility reasons. For this kernel, the path /sys/kernel/debug would be mounted as debugfs, and the subdirectory, /sys/kernel/debug/tracing would be mounted as tracefs. I wonder if this system has tracefs mounted elsewhere. Running the following would rule that out:
$ mount | grep tracefs
Finally, if it's not already mounted, I wonder if tracefs could be mounted.
$ mkdir /tmp/tracing
$ mount -t tracefs none /tmp/tracing
My gut says that both of those will yield disappointing results. But, in the off chance tracefs can be mounted, create the directory /sys/kernel/debug/tracing and mount it there, and see how things go with Endpoint.
Otherwise, it seems Endpoint is just not supported on this particular configuration.
I wonder whether the system is a container or a VM. If it's a container, the only option is to install Endpoint in the container host. If it's a VM, understanding how to enable tracefs would be the path forward.