We found that some Symantec Directory log files have public write permission (666):

-bash-4.2$ ll /opt/CA/Directory/dxserver/logs/dxagent.*
-rw-rw-rw-. 1 dsa etrdir  34782 Aug 10 07:41 /opt/CA/Directory/dxserver/logs/dxagent.access.log
-rw-r-----. 1 dsa etrdir  68802 Aug  8 23:59 /opt/CA/Directory/dxserver/logs/dxagent.access.log.2023-08-08
-rw-rw-rw-. 1 dsa etrdir 107338 Aug  9 23:55 /opt/CA/Directory/dxserver/logs/dxagent.access.log.2023-08-09
-rw-r-----. 1 dsa etrdir   1093 Aug 31 10:06 /opt/CA/Directory/dxserver/logs/dxagent.error.log
-rw-r-----. 1 dsa etrdir   1093 Aug  7 09:17 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-07
-rw-r-----. 1 dsa etrdir   1093 Aug  8 10:13 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-08
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 10 07:45 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-10
-rw-r-----. 1 dsa etrdir   1093 Aug 14 09:42 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-14
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 20 10:55 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-20
-rw-r-----. 1 dsa etrdir   1093 Aug 21 10:57 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-21
-rw-rw-rw-. 1 dsa etrdir   2927 Aug 28 17:57 /opt/CA/Directory/dxserver/logs/dxagent.error.log.2023-08-28
-bash-4.2$

A file that can be written by any user on the system could be a serious security flaw.

Please provide a solution for the above vulnerability.

Release : 14.1

We must assure you that 666 (i.e. "-rw-rw-rw-") permission on the dxagent log files would not impact Directory services in any way.
The only impact of such permissions being used is that any ordinary linux user can modify or delete the affected log files.
Please note that only dxagent logs are affected, and not the DSA logs.
DSA logs contain a lot of useful information, and depending on logging configuration may also contain some confidential data, like for instance user DN.
However, all DSA logs have 640  (i.e. "-rw-r-----") permissions and thus are not vulnerable.
The dxagent logs do not contain a lot of useful information (unless we temporarily set them to DEBUG level in case of dxagent troubleshooting), so it is not really a big security flaw if they are compromised.

Broadcom is currently investigating this issue.
The problem likely is not in Broadcom code, but rather in a 3rd party Python library that is used in dxagent service for logging.

We can propose the following workaround to rectify this vulnerability:

1. Change the permissions of existing dxagent logs:
   
   
   1. logon into the machine where Directory is installed as 'dsa' user
   2. Change permissions:
      chmod 640 /opt/CA/Directory/dxserver/logs/dxagent.*
      
      
2. Setup a cron job to run after midnight every day (because dxagent logs are rolled at midnight), which will change the logs permissions:
   
   
   1. logon into the machine where Directory is installed as 'dsa' user
   2. run this command to edit cron list:
      crontab -e
   3. Add the following line to crontab:
      02 00 * * * chmod 640 /opt/CA/Directory/dxserver/logs/dxagent.*
      
      The above crontab item will run at 12:02am every night, and will change dxagent logs permission to 640