diff --git a/overlay.d/05core/statoverride b/overlay.d/05core/statoverride
new file mode 100644
index 0000000000..9769b8ccb0
--- /dev/null
+++ b/overlay.d/05core/statoverride
@@ -0,0 +1,6 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
+
+# Some security scanners complain if /etc/sudoers.d files have 0044 mode bits
+# https://bugzilla.redhat.com/show_bug.cgi?id=1981979
+=384 /etc/sudoers.d/coreos-sudo-group
diff --git a/overlay.d/08nouveau/statoverride b/overlay.d/08nouveau/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/08nouveau/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/overlay.d/09misc/statoverride b/overlay.d/09misc/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/09misc/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/overlay.d/12kdump/statoverride b/overlay.d/12kdump/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/12kdump/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/overlay.d/14NetworkManager-plugins/statoverride b/overlay.d/14NetworkManager-plugins/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/14NetworkManager-plugins/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/overlay.d/15fcos/statoverride b/overlay.d/15fcos/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/15fcos/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/overlay.d/20platform-chrony/statoverride b/overlay.d/20platform-chrony/statoverride
new file mode 100644
index 0000000000..27a95affe2
--- /dev/null
+++ b/overlay.d/20platform-chrony/statoverride
@@ -0,0 +1,2 @@
+# Config file for overriding permission bits on overlay files/dirs
+# Format: =<file mode in decimal> <absolute path to a file or directory>
diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro
index cdf9073e58..0ebfabfa0a 100755
--- a/tests/kola/misc-ro
+++ b/tests/kola/misc-ro
@@ -64,6 +64,14 @@ if test -d /usr/share/info; then
     fatal "found /usr/share/info"
 fi
 
+# Security scanners complain about world-readable files in /etc/sudoers.d.
+# Check that there aren't any.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1981979
+sudoers_files="$(find /etc/sudoers.d -type f ! -perm 600 2>&1)"
+if [ -n "$sudoers_files" ]; then
+    fatal "Found files in /etc/sudoers.d with unexpected permissions: $sudoers_files"
+fi
+
 # See https://github.com/coreos/coreos-assembler/pull/1786
 path=/usr/lib/systemd/system-generators/coreos-platform-chrony
 mode=$(stat -c '%a' ${path})