---

- name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured"
  when:
    - ubtu24cis_rule_6_1_4_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - logfiles
    - rule_6.1.4.1
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  block:
    - name: "6.1.4.1 | AUDIT | Ensure access to all logfiles has been configured | find files"
      ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
      changed_when: false
      failed_when: false
      register: discovered_logfiles

    - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
      when:
        - item != "/var/log/btmp"
        - item != "/var/log/utmp"
        - item != "/var/log/wtmp"
        - item != "/var/log/lastlog"
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'u-x,g-wx,o-rwx'
      loop: "{{ discovered_logfiles.stdout_lines }}"

    - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
      when:
        - discovered_system_logfiles.stdout_lines is defined
        - item == "/var/log/btmp"
        - item == "/var/log/utmp"
        - item == "/var/log/wtmp"
        - item == "/var/log/lastlog"
        - "'sssd' in item or 'SSSD' in item"
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'ug-x,o-wx'
      loop: "{{ discovered_system_logfiles.stdout_lines }}"