diff --git a/doc/source/developer-notes/V-38498.rst b/doc/source/developer-notes/V-38498.rst
index db983422..50961e5c 100644
--- a/doc/source/developer-notes/V-38498.rst
+++ b/doc/source/developer-notes/V-38498.rst
@@ -1,7 +1,8 @@
-Ubuntu 14.04 sets logs in ``/var/log/audit`` to mode ``0400`` by default,
-which makes sense because only the root user should be able to view the
-logs. No users should ever be adjusting or editing the audit logs.
+Ubuntu and CentOS set the current audit log (the one that is actively being
+written to) to ``0600`` so that only the root user can read and write to it.
+The older, rotated logs are set to ``0400`` since they should not receive
+any more writes.
 
-The STIG requirement states that log files must have mode ``0640`` or less.
-The Ansible tasks in this role will set the mode to ``0400`` to match
-Ubuntu's default.
+The STIG requirement states that log files must have mode ``0640`` or less. The
+security role will remove any permissions that are not allowed by the STIG
+(``u-x,g-wx,o-rwx``).
diff --git a/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml
new file mode 100644
index 00000000..61b05693
--- /dev/null
+++ b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    The security role previously set the permissions on all audit log files in
+    ``/var/log/audit`` to ``0400``, but this prevents the audit daemon from
+    writing to the active log file. This will prevent ``auditd`` from
+    starting or restarting cleanly.
+
+    The task now removes any permissions that are not allowed by the STIG. Any
+    log files that meet or exceed the STIG requirements will not be modified.
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 308cf87e..071cf019 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -261,12 +261,12 @@
     - cat2
     - V-38498
 
-# Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since
-# it exceeds the STIG's requirements.
+# On most systems, the active log file is 0600 and the older logs are 0400.
+# This task ensures that all logs meet or exceed the STIG requirement.
 - name: V-38498 - Audit log files must have mode 0640 or less
   file:
     dest: "/var/log/audit/{{ item }}"
-    mode: 0400
+    mode: "u-x,g-wx,o-rwx"
   with_items: "{{ v38498_result.stdout_lines | default([]) }}"
   when: auditd_log_dir.stat.exists | bool
   tags: