In an environment where it it only allowed to use SSH for communication with hosts i had disabled the cmk-agent-ctl-daemon when i upgraded to v2.1.0.
When updating/upgrading to v2.1.0p2 agent the service was re-enabled.
This behaviour is frowned upon for security reasons:
- (CMK-)admin-wise this re-introduces false criticals in CMK after having explicitly disabled this systemd service.
- Security-wise this can potentially introduce an open port expected to be closed before, therefore default enable it is unwanted, and can potentially lead to security-incidents ( seen/experienced before on similar cases/software)
Wanted in this:
- IF for example upgrading from previous major versions, introducing this new service it should be by default installed as disabled so an admin can decide if he/she wants to make use of this.
- IF upgrading, and service exists the status of the service should be read, and if disabled it should honor this setting. (in this the ultimate decision-maker to enable a/the service should be with the administrator/organisation of the system,)