Icinga files change permissions after Icinga Node Wizard is run


I have noticed a funny thing. We use Open-SCAP to check that our Linux VMs are following our set hardening standard.

It checks the files access permissions of installed software packages matches the vendor values. On a newly installed Icinga2 conf file, f.ex. zones.conf has 640. But after I run the Icinga Node Wizard to configure the node it changes to 644. Same with other conf files as well.

This causes an alert from Open-SCAP as you might understand.

My question is just, why does the files access permissions changes so it doesnt matches the vendor settings.

It is easily fixed with rpm --setperms ICINGA PACKAGE (for example icinga2-0:2.13.2-1.el8.icinga.x86_64) so its not a major issue, just a annoying one :slight_smile:

But the most annoying issue is that after each restart of Icinga on server the /var/lib/icinga2/api/zones-stage has changed its permissions from vendor presets, from 750 to 700.

  • Version used (icinga2 --version) 2.13.2-1
  • Operating System and version RHEL 8.5