Describe the Issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured. Unfortunately this step is not idempotent.
When running a cis-wrapper role which is calling this role i noticed that the audit.log kept changing during the molecule idempotency run on aws/azure alma or rhel machines.
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Expected Behavior
I would like to see no changes in file permissions during the second run.

Actual Behavior
The second run is changing the following files:
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)

Control(s) Affected
What controls are being affected by the issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured.

Environment (please complete the following information):

• branch being used: v1.0.1
• Ansible Version: [2.15]
• Host Python Version: 3.12
• Ansible Server Python Version: n/a
• Additional Details:
  i think the issue is partially caused by the audit.conf where the log_group is set to root. During rotation it will set the permissions back to 600.

Additional Notes
N/A

Possible Solution
Below code could be a potential fix for the issue:

        - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
          ansible.builtin.file:
            path: "{{ item.path }}"
            mode: "{% if item.mode != '0600' %}0640{% endif %}"
          loop: "{{ logfiles.files }}"
          loop_control:
            label: "{{ item.path }}"
          when:
            - item.path != "/var/log/btmp"
            - item.path != "/var/log/utmp"
            - item.path != "/var/log/wtmp"

updated the mode setting to: "{{ '0600' if item.mode == '0600' else '0640' }}"
this prevents skips on the 0600.

hi @rjacobs1990

Great work on the issue and PR i have feedback on the PR.

Many thanks again

uk-bolly