Task 4.2.3 fails if a log file vanishes

[ps-spb]

Describe the Issue
If during a run, a logfile is configured to say keep X histories but are uniquely named (e.g. sessionlauncher.log.2023-09-21-14-19) and that log file vanishes, then the task will fail.

Expected Behavior
Task ignores the fact a file no longer exists and carries on with the next file.

Actual Behavior
A clear and concise description of what's happening.

Control(s) Affected
4.2.3

Environment (please complete the following information):

• branch being used: [e.g. devel]

• Ansible Version: [e.g. 2.10]

• Host Python Version: [e.g. Python 3.7.6]

• Ansible Server Python Version: [e.g. Python 3.7.6]

• branch being used: main

• Ansible Version: ansible 2.10.8

• Host Python Version: 3.10.12

• Ansible Server Python Version: 3.10.12 (same - being run locally)

Additional Details:
We are targetting AWS WorkSpaces Ubuntu offering.

Additional Notes
Sample error message:

failed: [localhost] (item=/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305339.6007233, "ctime": 1695305972.2894833, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047182, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.553581, "nlink": 1, "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "pw_name": "root", "rgrp": true, "roth": false, "rusr": true, "size": 1556, "uid": 0, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/sessionlauncher.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/sessionlauncher.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agent.console.log.2023-09-21-14-19) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305344.936731, "ctime": 1695305972.1291497, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1047899, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305375.0647857, "nlink": 1, "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "pw_name": "gdm", "rgrp": true, "roth": false, "rusr": true, "size": 58456, "uid": 133, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agent.console.log.2023-09-21-14-19) is absent, cannot continue", "path": "/var/log/dcv/agent.console.log.2023-09-21-14-19", "state": "absent"}
failed: [localhost] (item=/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) => {"ansible_loop_var": "item", "changed": false, "item": {"atime": 1695305378.6407952, "ctime": 1695306196.3926826, "dev": 66307, "gid": 999, "gr_name": "dcv", "inode": 1048048, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0640", "mtime": 1695305927.7215812, "nlink": 1, "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "pw_name": "simon.baker", "rgrp": true, "roth": false, "rusr": true, "size": 2842, "uid": 891801367, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "file (/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23) is absent, cannot continue", "path": "/var/log/dcv/agentlauncher.simon.baker.log.2023-09-21-14-23", "state": "absent"}

Possible Solution
Task ignores errors? This feels a little brittle...

[Atamido]

I'm running into the same issue. I've found one quick fix which significantly reduces the likelihood of the issue occurring, and then another more elaborate solution which fully covers the issue.

The quick fix is to modify the when statement in
https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/devel/tasks/section_4/cis_4.2.3.yml
from:

    when:
        - item.path != "/var/log/btmp"
        - item.path != "/var/log/utmp"
        - item.path != "/var/log/wtmp"

to:

    when:
        - item.path != "/var/log/btmp"
        - item.path != "/var/log/utmp"
        - item.path != "/var/log/wtmp"
        - item.mode != "0640"
        - item.mode != "0600"

This prevents ansible.builtin.file from trying to run on a log file where the permissions are already correct. As most log files seem to have the correct permissions by default, this resolves the issue for most situations.

The second solution was to create a separate file with a block/rescue which would be used to set the permissions. In the same cis_4.2.3.yml file as before, change:

  - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
    ansible.builtin.file:
        path: "{{ item.path }}"
        mode: '0640'
    loop: "{{ logfiles.files }}"

to:

  - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
    ansible.builtin.include_tasks: set_perms.yml
        vars:
          perms_mode: '0640'
    loop: "{{ logfiles.files }}"

And the set_perms.yml file:

  - block:
    - ansible.builtin.file:
        path: "{{ item.path }}"
        mode: "{{ perm_mode }}"
    rescue:
      - name: Confirm file still exists
        ansible.builtin.stat:
          path: "{{ item.path }}"
        register: perm_file_check

      - ansible.builtin.file:
          path: "{{ item.path }}"
          mode: "{{ perm_mode }}"
          when: perm_file_check.stat.exists