Auditing User Activity in SAS Viya
In this hands-on workshop, you will explore the auditing functionality available in SAS Viya. You will learn how to view and edit the auditing configuration to change the behavior of the Audit service, which controls how audit data is captured, stored, maintained, and made available for reporting. You will also view the methods for surfacing audit records, including using the sas-viya CLI’s audit plugin and the User Activity Report available in SAS Visual Analytics.
- Connect to the workshop environment
- Modify Audit service configuration
- Generate activity
- View audit records with CLI
- Access the User Activity Report
Connect to the workshop environment
- Use the credentials below to connect to your SAS Viya environment.
- Username : student
- Password: Metadata0
When prompted, opt in to assumable groups.
Modify Audit service configuration
First, view the auditing configuration in SAS Environment Manager.
- Open SAS Environment Manager in your browser and sign in.
- Username: student
- Password: Metadata0
-
Navigate to the Configuration page. Find and click on the Audit service.
-
Review the sas.audit.record configuration instance. The settings here control the amount of information the Audit service captures about system activity.
Note the default setting for the audit.recording.level property; it is set to low. This settings results in the Audit service capturing audit data about all REST activity from SAS Viya services with the exception of successful Read actions. Failed Read actions, along with Create, Update, Delete, and other events, will generate audit records, which are stored in the SAS Infrastructure Data Server’s AUDIT schema).
-
Click the pencil icon for sas.audit.record to enter edit mode. Change the value of the audit.recording.level by selecting high from the drop-down box.
Click Save to apply the changes.
-
Expand the sas.audit.reporting configuration instance to view the properties that control how audit data can be used for reporting. Data is loaded from the SAS Infrastructure Data Server to the SystemData Caslib’s AUDIT table. The value of the refresh.schedule property determines how often audit data is loaded to CAS. The value is expressed in Cron standard syntax.
-
Click the pencil icon for sas.audit.reporting to enter edit mode. Modify the value of refresh.schedule to as follows, to load records every 10 minutes.
Click Save to apply the change.
- Sign out of SAS Environment Manager.
Generate activity
In this step, you will perform some activities that represent what a regular user may typically perform. You will log in, open and interact with a report that contains some sample data, and then log off. Later in this exercise, you will try to locate the audit trail for these actions.
-
First, replicate a failed login attempt by trying to log on to SAS Visual Analytics with an invalid username and password. For example, enter user
sas001
as the username andinnovate
for the password. -
Now log on as user
christine
with passwordStudent1
. When prompted, do not opt in to assumable groups. -
Go to the SAS Content/Products/Visual Analytics/Samples folder and open the Retail Insights report by right-clicking and selecting
Open
. Browse the report. -
Sign Christine out gracefully (sign out rather than just closing your browser).
View audit records with CLI
The next task is to try to find the audit trail that identifies the user action performed previously. Suppose an administrator would like to determine whether the Retail Insights report has been accessed and by whom. Acting now as the administrator (username ‘student’), you will use the sas-viya
command-line interface’s (CLI) audit plugin to search the audit data that has been captured to find records signifying user actions.
The sas-viya
CLI has been installed (with all plugins) in the workshop environment and can be run from the terminal.
-
Open a student terminal session from your remote client machine’s desktop.
-
Execute the following command to view the audit data accessible via the CLI:
sas-viya audit list
Hint: There are several options that can be added to the command to change the way audit data is displayed. Add the -h flag to view all available options.
-
To view login attempts, you can modify the command to filter the output to display only records generated by the SASLogon application. You can also add an additional filter to display failed actions only. The command below also sorts the output in chronological order.
sas-viya audit list --application SASLogon --state failure --sort-by timestamp
Do you see records for the unsuccessful login attempt made earlier?
Yes. Failed login attempts appear as follows:
ID Time Stamp Action State User ID Application URI 98469254-0bc1-412c-8c7d-4d4cd158d0ca 2024-02-21T09:45:54.636Z login failure sas001 SASLogon
- Modify the previous command to look for both unsuccessful and successful login attempts:
sas-viya audit list --application SASLogon --sort-by timestamp
-
Now run the following command to view all records generated by user
christine
.sas-viya --output text audit list --user-id christine --sort-by timestamp
Modify the command above as necessary to view Christine’s interactions with SASLogon.
What were Christine's most recent log in and log off times?
Add the
--application SASLogon
flag to the command. Successful login attempts are recorded with a state of Success. If you remembered to log off the session gracefully, you will see asessionDestroyed
action fromSASLogon
. If not, the record will not appear until the session timeout is reached. Note that all times are stored in UTC. They are converted to local time when data is loaded to CAS.293aa58-b7b5-4c31-92ac-230eff6392ff 2024-03-21T22:53:12.611Z login success christine SASLogon false 40304ff4-c859-4994-95ac-7cf2add99e60 2024-03-21T22:53:12.616Z SessionAuthenticationSuccess success christine SASLogon false c83c2906-8cfc-4cbe-a896-3a042036de78 2024-03-21T22:56:53.755Z SessionDestroyed success christine SASLogon false
Note, that if a user is logged on in multiple sessions simultaneously, a sessionSignature field in the properties of the SessionDestroyed record corresponds with a matching field in a SessionAuthenticationSuccess record, which is created immediately after a login. This provides a way to uniquely identify user sessions.
-
Now try location modifying the command to view records relating to Christine’s opening of the Retail Insights report.
sas-viya audit list --application reports --user-id christine --sort-by timestamp --resolve-uri
The --resolve-uri parameter will result in the retrieval and display of report names rather than URIs.
Do you see information about the report that was opened?
Information about report access is displayed because of the change made earlier to set
audit.recording.level
to a value ofHigh
.ID Time Stamp Type Action State Description User ID Application Remote Address Administrative Action URI 7b896481-3e30-411b-8ee0-c59a4bb5f007 2024-03-21T22:54:08.917Z resource read success christine reports 10.42.6.59 false /reports/ 3d2fcfe6-84d0-4249-9ef3-017fb8b112e7 2024-03-21T22:54:10.708Z resource read success christine reports 172.18.0.10 false /reports/ f175421e-c215-49d4-b60e-cd2200558b90 2024-03-21T22:55:26.657Z resource read success christine reports 10.42.3.93 false /Products/SAS Visual Analytics/Samples/Retail Insights.report 84cbf06f-9e32-4dbd-827e-cec39e63c029 2024-03-21T22:55:26.844Z resource read success christine reports 10.42.3.93 false /Products/SAS Visual Analytics/Samples/Warranty Analysis.report 63e5bf65-26e2-4cab-91d2-067906c1a6e4 2024-03-21T22:55:26.927Z resource read success christine reports 10.42.3.93 false /Products/SAS Visual Analytics/Samples/Water Consumption and Monitoring.report 28e99742-5e48-4883-8c73-d53f500fb938 2024-03-21T22:55:28.469Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report 38f3846e-7547-4285-8668-834fcc34101b 2024-03-21T22:55:28.69Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report c85567c1-495e-4e95-9dce-9fb1d2fbce88 2024-03-21T22:55:28.904Z resource read success christine reports 10.42.3.62 false /Products/SAS Visual Analytics/Samples/Retail Insights.report d5803860-4da2-4e2e-bdc1-f0e9f01bbece 2024-03-21T22:55:53.165Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report
-
Note that in the previous output, there are many records generated for the Retail Insights report. This is because the reports service creates records for the displaying of report thumbnails in addition to the action of opening the report.
To distinguish between these two types of records, and to determine whether a user did actually open a report, an additional flag is required on the command.
sas-viya audit list --application reports --user-id christine --sort-by timestamp --resolve-uri --details
Adding the --details flag displays a Remote Address field in the output.
28e99742-5e48-4883-8c73-d53f500fb938 2024-03-21T22:55:28.469Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report 38f3846e-7547-4285-8668-834fcc34101b 2024-03-21T22:55:28.69Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report c85567c1-495e-4e95-9dce-9fb1d2fbce88 2024-03-21T22:55:28.904Z resource read success christine reports 10.42.3.62 false /Products/SAS Visual Analytics/Samples/Retail Insights.report d5803860-4da2-4e2e-bdc1-f0e9f01bbece 2024-03-21T22:55:53.165Z resource read success christine reports 172.18.0.10 false /Products/SAS Visual Analytics/Samples/Retail Insights.report
Note that one of the records contains a unique address for the Remote Address field. This is the internal IP address of the sas-folders service. This record is only generated when a user opens a report, providing a way to capture an audit trail.
-
Next, modify the command to try viewing information about CAS usage, including data that was accessed and actions that were performed. Some records are created by the ‘sas’ system user (an ‘access’ action rather than a ‘read’ action.). It would be necessary to adjust the filters on your CLI command to view these records.
sas-viya --output json audit list --application cas --sort-by timestamp --user-id sas --action access --limit 10000|grep -B21 -A9 christine
These records provide more information about CAS table access:
{ "action": "access", "application": "cas", "description": "Accessed the table", "httpContext": {}, "id": "298c2781-7a92-48cf-ac09-d10d72369cd9", "links": [ { "href": "/audit/entries/298c2781-7a92-48cf-ac09-d10d72369cd9", "method": "GET", "rel": "self", "type": "application/vnd.sas.audit.entry.resource", "uri": "/audit/entries/298c2781-7a92-48cf-ac09-d10d72369cd9" } ], "properties": { "caslib": "Samples", "category": "access", "controllerHost": "controller.sas-cas-server-default.edu.svc.cluster.local", "controllerPort": "5570", "scope": "global", "sessionId": "07c12d46-8842-024e-86bf-d1ee3d6ce98f", "sessionUser": "christine", "table": "RAND_RETAILDEMO" }, "state": "success", "timeStamp": "2024-03-21T22:55:30.905761Z", "type": "resource", "user": "sas", "version": 4 },
Remember that the default setting of
Low
for theaudit.recording.level
property does not capture successfulRead
actions; it only captures failed ones. This means that when the data is successfully accessed (read) by a user, an audit record is not captured by the Audit service. This is for performance reasons (as the amount of data captured/processed by the Audit service will grow significantly if successfulReads
are captured), but it is important to understand (and discuss with your customer) the implications. If the setting is changed toHigh
(you will not have access to change this setting in the workshop environment), then successfulRead
events, including those showing a user accessing a dataset, will captured and can be viewed using the CLI.What details can you see about CAS actions that were performed?
Information about CAS actions that were executed (including those that always occur when you open a report) are created by user ‘sas’ and application ‘cas’. If you adjust your CLI command with these parameters, you will see records that look like the below:: If you then run the following command, more details will be displayed about the record:
{ "action": "load", "application": "cas", "description": "Loaded table", "httpContext": {}, "id": "077b0250-957a-42c5-a9f4-b5a669359c41", "links": [ ...], "properties": { "caslib": "Workshop", "category": "change", "controllerHost": "controller.sas-cas-server-default.edu.svc.cluster.local", "controllerPort": "5570", "scope": "session", "sessionId": "028d460d-1c49-ea46-aaa3-8475b7afae0d", "sessionUser": "christine", "table": "RAND_RETAIL" }, "state": "success", "timeStamp": "2024-01-18T08:36:54.026319Z", "type": "resource", "user": "sas", "version": 4 }
As you’ve now seen, the data captured by the Audit service can be useful when performing auditing. The configuration settings can be adjusted to capture more detailed data about user activity and data access. For some types of information, you can also use log data generated by SAS Viya in addition to audit records.
Access the User Activity Report
Now try viewing the default audit report in Visual Analytics.
-
Log on to SAS Visual Analytics as user student:Metadata0.
-
Open Products/SAS Environment Manager/Dashboard Items/User Activity Report.
-
Browse the tabs of the report to view activity. What are the recent failures? Who are the most active users?
-
Is Christine’s action of opening Retail Insights included in the data? Why/why not?