Agent upgrade re-enables services by default

In an environment where it it only allowed to use SSH for communication with hosts i had disabled the cmk-agent-ctl-daemon when i upgraded to v2.1.0.

When updating/upgrading to v2.1.0p2 agent the service was re-enabled.

This behaviour is frowned upon for security reasons:

  • (CMK-)admin-wise this re-introduces false criticals in CMK after having explicitly disabled this systemd service.
  • Security-wise this can potentially introduce an open port expected to be closed before, therefore default enable it is unwanted, and can potentially lead to security-incidents ( seen/experienced before on similar cases/software)

Wanted in this:

  • IF for example upgrading from previous major versions, introducing this new service it should be by default installed as disabled so an admin can decide if he/she wants to make use of this.
  • IF upgrading, and service exists the status of the service should be read, and if disabled it should honor this setting. (in this the ultimate decision-maker to enable a/the service should be with the administrator/organisation of the system,)