Log files are world-writable.

[natedogith1]

The log files are set to world-writable. It looks like this is done here:

sapagent/internal/onetime/onetime.go

Line 158 in 1e926c3

os.Chmod(params.LogFileName, 0666)

These log files are triggering security findings.

[karkunpavan]

Hi @natedogith1 , thanks for raising the issue.

I can explain the rationale for having the logs writable by other users in the Agent for SAP.

The onetime executions(such as backint, hanadiskbackup etc) can be run by multiple users on the machine. Let us take a scenario where

• user-1 ran the one time execution and this created a /var/log/google-cloud-sap-agent/backint.log file.
• Another user say sidadm-1 runs the backint command - they should still be able to write to the same log file.

If the log file did not have a world write the log to write would fail for any user other than the one who created it.

Let me know if this addresses your concerns.

[natedogith1]

Our security requirements (based off of CIS Benchmarks) requires that all world-writable directories have their sticky bit set and that there are no world writable files. I haven't seen this issue before with other software, but if this is a requirement we can probably document an exception.

[karkunpavan]

Thanks - We will add comments in code and update public docs indicating why we do this.