diff --git a/confluent_osdeploy/el7/profiles/default/scripts/firstboot.sh b/confluent_osdeploy/el7/profiles/default/scripts/firstboot.sh
index 4596723a..0fe078ba 100644
--- a/confluent_osdeploy/el7/profiles/default/scripts/firstboot.sh
+++ b/confluent_osdeploy/el7/profiles/default/scripts/firstboot.sh
@@ -16,6 +16,7 @@ while ! ping -c 1 $confluent_mgr >& /dev/null; do
 done
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 
diff --git a/confluent_osdeploy/el7/profiles/default/scripts/post.sh b/confluent_osdeploy/el7/profiles/default/scripts/post.sh
index 8d443fc0..834a29b8 100644
--- a/confluent_osdeploy/el7/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/el7/profiles/default/scripts/post.sh
@@ -2,6 +2,7 @@
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
diff --git a/confluent_osdeploy/el7/profiles/default/scripts/pre.sh b/confluent_osdeploy/el7/profiles/default/scripts/pre.sh
index 78848259..1e862b75 100644
--- a/confluent_osdeploy/el7/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/el7/profiles/default/scripts/pre.sh
@@ -13,6 +13,7 @@ if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then
 fi
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 tail -f /tmp/confluent-pre.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/firstboot.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/firstboot.sh
index ed9f1354..c52b3b89 100644
--- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/firstboot.sh
+++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/firstboot.sh
@@ -13,6 +13,7 @@ export nodename confluent_mgr confluent_profile
 . /etc/confluent/functions
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 while ! ping -c 1 $confluent_mgr >& /dev/null; do
diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh
index ec2f225b..cc7a4719 100644
--- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh
+++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/onboot.sh
@@ -14,6 +14,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-onboot.log
 exec 2>> /var/log/confluent/confluent-onboot.log
+chmod 600 /var/log/confluent/confluent-onboot.log
 tail -f /var/log/confluent/confluent-onboot.log > /dev/console &
 logshowpid=$!
 
diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh
index 03a13b76..6965815c 100644
--- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/post.sh
@@ -12,6 +12,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/console &
 logshowpid=$!
 curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/firstboot.service > /etc/systemd/system/firstboot.service
diff --git a/confluent_osdeploy/el8/profiles/default/scripts/firstboot.sh b/confluent_osdeploy/el8/profiles/default/scripts/firstboot.sh
index 10219400..fbbb3b36 100644
--- a/confluent_osdeploy/el8/profiles/default/scripts/firstboot.sh
+++ b/confluent_osdeploy/el8/profiles/default/scripts/firstboot.sh
@@ -24,6 +24,7 @@ export nodename confluent_mgr confluent_profile
 . /etc/confluent/functions
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 tail -f /var/log/confluent/confluent-firstboot.log > /dev/console &
 logshowpid=$!
 while ! ping -c 1 $confluent_pingtarget >& /dev/null; do
diff --git a/confluent_osdeploy/el8/profiles/default/scripts/post.sh b/confluent_osdeploy/el8/profiles/default/scripts/post.sh
index 8d443fc0..834a29b8 100644
--- a/confluent_osdeploy/el8/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/el8/profiles/default/scripts/post.sh
@@ -2,6 +2,7 @@
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 tail -f /var/log/confluent/confluent-post.log > /dev/tty &
 logshowpid=$!
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
diff --git a/confluent_osdeploy/el8/profiles/default/scripts/pre.sh b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh
index f1ad004d..c6236918 100644
--- a/confluent_osdeploy/el8/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh
@@ -24,6 +24,7 @@ function confluentpython() {
 }
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 tail -f /tmp/confluent-pre.log > /dev/tty &
 logshowpid=$!
 confluentpython /etc/confluent/apiclient >& /dev/null
diff --git a/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh b/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh
index 142a4443..96796744 100644
--- a/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh
+++ b/confluent_osdeploy/suse15-diskless/profiles/default/scripts/onboot.sh
@@ -14,6 +14,7 @@ export nodename confluent_mgr confluent_profile
 mkdir -p /var/log/confluent
 exec >> /var/log/confluent/confluent-onboot.log
 exec 2>> /var/log/confluent/confluent-onboot.log
+chmod 600 /var/log/confluent/confluent-onboot.log
 tail -f /var/log/confluent/confluent-onboot.log > /dev/console &
 logshowpid=$!
 
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
index 650d7598..8cd7ac9b 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
@@ -3,6 +3,7 @@
 # This script runs at the end of the final boot, updating status
 exec >> /var/log/confluent/confluent-firstboot.log
 exec 2>> /var/log/confluent/confluent-firstboot.log
+chmod 600 /var/log/confluent/confluent-firstboot.log
 
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 v6cfg=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg)
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
index 2e0da964..9ecd4288 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
@@ -11,6 +11,7 @@
 
 exec >> /var/log/confluent/confluent-post.log
 exec 2>> /var/log/confluent/confluent-post.log
+chmod 600 /var/log/confluent/confluent-post.log
 confluent_mgr=$(grep ^deploy_server /etc/confluent/confluent.deploycfg|awk '{print $2}')
 confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^profile: //')
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
index 9762ef82..b947de43 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
@@ -5,6 +5,7 @@
 
 exec >> /tmp/confluent-pre.log
 exec 2>> /tmp/confluent-pre.log
+chmod 600 /tmp/confluent-pre.log
 nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 rootpw=$(grep rootpassword: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassword: //')
 if [ "$rootpw" = "null" ]; then