How to properly set file-mode for /var/log/cloud-init.log

In using the vendor-STIGs for RHEl7, the

Rule ID wants all files that rsyslog knows about to be set mode 0600 or more secure. I manually remediated the system - setting in the , stripping rwx from group and other on all files under and rebooting. When the system reboots, all files remain at mode except for .

When I run the oscap report, it looks like, because rsyslog knows about this file (via

), it's marking the rule-compliance as failed.

In digging around, it looks like the starting mode for

is (re)set by python (rather than ). It looks like this behavior would notionally be configurable via the file. Unfortunately, in looking at info about that file (and generic python-logging config), I'm not seeing a promising method for forcing the mode for to be mode (admitedly, I'm rather muzzy-headed from cold medications, right now).

Am I missing something obvious, or am I in a "can't get there from here" situation? I really don't want to have to resort to an

type of kludge to move past this. :(

Any way, opened a BugZilla to see if this is a known issue and/or if there's a documented way around this scenario, but figured I'd post here in case someone could get me there more quickly.