Improved mode logic for audit log

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Sep 17, 2024 · 6521784 · 6521784
1 parent 31e5267
commit 6521784
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml
@@ -23,7 +23,7 @@
             "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
             path: "{{ audit_discovered_logfile.stdout }}"
-            mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}"
+            mode: 'u-x,g-wx,o-rwx'
             owner: root
             group: root
   when: