4.2.3 | PATCH | Ensure permissions on all logfiles are configured - Not idempotent with Molecule

[rjacobs1990]

Describe the Issue 4.2.3 | PATCH | Ensure permissions on all logfiles are configured. Unfortunately this step is not idempotent. When running a cis-wrapper role which is calling this role i noticed that the audit.log kept changing during the molecule idempotency run on aws/azure alma or rhel machines. changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Expected Behavior I would like to see no changes in file permissions during the second run.

Actual Behavior The second run is changing the following files: changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Control(s) Affected What controls are being affected by the issue 4.2.3 | PATCH | Ensure permissions on all logfiles are configured.

Environment (please complete the following information):

• branch being used: v1.0.1
• Ansible Version: [2.15]
• Host Python Version: 3.12
• Ansible Server Python Version: n/a
• Additional Details: i think the issue is partially caused by the audit.conf where the log_group is set to root. During rotation it will set the permissions back to 600.

Additional Notes N/A

Possible Solution Below code could be a potential fix for the issue:

        - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
          ansible.builtin.file:
            path: "{{ item.path }}"
            mode: "{% if item.mode != '0600' %}0640{% endif %}"
          loop: "{{ logfiles.files }}"
          loop_control:
            label: "{{ item.path }}"
          when:
            - item.path != "/var/log/btmp"
            - item.path != "/var/log/utmp"
            - item.path != "/var/log/wtmp"

[rjacobs1990]

updated the mode setting to: "{{ '0600' if item.mode == '0600' else '0640' }}" this prevents skips on the 0600.

[uk-bolly]

hi @rjacobs1990

Great work on the issue and PR i have feedback on the PR.

Many thanks again

uk-bolly