Comment 2 for bug 1541196

Wanted to provide additional input on this: my AWS-hosted customers have compliance-requirements that test for whether all files that rsyslog knows about are mode 0600 (or more restrictive). Because rsyslog knows about the /var/log/cloud-init.log file (via an include statement), cloud-init's clobbering of the mode (reverting it to 0644) causes security scans to pop an alert for permissions misconfiguration.

I was trying to get my head around "how do I patch this behavior", but couldn't noodle it. So, for now, it's causing me pains from my CND folks screaming, "you guys need to fix this".

Any suggestions on how to update my /etc/cloud/cloud.cfg.d/05_logging.cfg (path for RHEL 7's cloud init logging-config) to get them off my neck? I'd rather not have to either POAM this or resort to an rc.local script if there's a better way of addressing the issue.