4.2.3 | PATCH | Ensure permissions on all logfiles are configured - Not idempotent with Molecule
rjacobs1990 opened this issue · comments
Describe the Issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured. Unfortunately this step is not idempotent.
When running a cis-wrapper role which is calling this role i noticed that the audit.log kept changing during the molecule idempotency run on aws/azure alma or rhel machines.
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)
Expected Behavior
I would like to see no changes in file permissions during the second run.
Actual Behavior
The second run is changing the following files:
changed: [almalinux-9-x86_64] => (item=/var/log/audit/audit.log)
Control(s) Affected
What controls are being affected by the issue
4.2.3 | PATCH | Ensure permissions on all logfiles are configured.
Environment (please complete the following information):
- branch being used: v1.0.1
- Ansible Version: [2.15]
- Host Python Version: 3.12
- Ansible Server Python Version: n/a
- Additional Details:
i think the issue is partially caused by the audit.conf where the log_group is set to root. During rotation it will set the permissions back to 600.
Additional Notes
N/A
Possible Solution
Below code could be a potential fix for the issue:
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{% if item.mode != '0600' %}0640{% endif %}"
loop: "{{ logfiles.files }}"
loop_control:
label: "{{ item.path }}"
when:
- item.path != "/var/log/btmp"
- item.path != "/var/log/utmp"
- item.path != "/var/log/wtmp"
updated the mode setting to: "{{ '0600' if item.mode == '0600' else '0640' }}"
this prevents skips on the 0600.
hi @rjacobs1990
Great work on the issue and PR i have feedback on the PR.
Many thanks again
uk-bolly