logrotate undesired permission change in focal

When running the CIS benchmark in focal we have an issue with a few files in /var/log wher ethe permissions are changed to be more restrictive, but also changes the permission to root:utmp. This therefore leaves file with no content as the relevant services are no longer able to access these files.

Below is an output from ls -lrt which shows the number of files that this effected.

-rw-r----- 1 root utmp 0 Oct 22 10:03 alternatives.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 haproxy.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 dpkg.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 syslog
-rw-r----- 1 root utmp 0 Oct 22 10:03 mail.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 kern.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 auth.log
-rw-r----- 1 root utmp 0 Oct 22 10:03 ubuntu-advantage.log

This is part of 4.4 of the CIS Benchmark, and the remediation gives an example, but not sure if we should be taking that blindly.

~~~
Edit /etc/logrotate.conf and update the create line to read 0640 or more restrictive, following local site policy

Example:

create 0640 root utmp
~~~

I reckon, we could just do with the following instead

create 0640

The audit procedure does suggest with a grep \s at the end, but I think we could do without that, and should work

~~~
Audit Procedure
WARNING: The contents of this section may not render correctly in the Word Export

Run the following command:

# grep -Es "^\s*create\s+\S+" /etc/logrotate.conf /etc/logrotate.d/* | grep -E -v "\s(0)?[0-6][04]0\s"

Nothing should be returned
~~~

After I changed logrotate.conf to use "create 640" and removed syslog, re-ran "logrotate -f /etc/logrotate.conf" the configuration was restored to what it should with the right permissions.