Auditing User Activity in SAS Viya

In this hands-on workshop, you will explore the auditing functionality available in SAS Viya. You will learn how to view and edit the auditing configuration to change the behavior of the Audit service, which controls how audit data is captured, stored, maintained, and made available for reporting. You will also view the methods for surfacing audit records, including using the sas-viya CLI’s audit plugin and the User Activity Report available in SAS Visual Analytics.

• Connect to the workshop environment
• Modify Audit service configuration
• Generate activity
• View audit records with CLI
• Access the User Activity Report

Connect to the workshop environment

• Use the credentials below to connect to your SAS Viya environment.
  • Username : student
  • Password: Metadata0

When prompted, opt in to assumable groups.

Modify Audit service configuration

First, view the auditing configuration in SAS Environment Manager.

1. Open SAS Environment Manager in your browser and sign in.
   • Username: student
   • Password: Metadata0

2. Navigate to the Configuration page. Find and click on the Audit service.

   

3. Review the sas.audit.record configuration instance. The settings here control the amount of information the Audit service captures about system activity.

   

   Note the default setting for the audit.recording.level property; it is set to low. This settings results in the Audit service capturing audit data about all REST activity from SAS Viya services with the exception of successful Read actions. Failed Read actions, along with Create, Update, Delete, and other events, will generate audit records, which are stored in the SAS Infrastructure Data Server’s AUDIT schema).

4. Click the pencil icon for sas.audit.record to enter edit mode. Change the value of the audit.recording.level by selecting high from the drop-down box.

   

   Click Save to apply the changes.

5. Expand the sas.audit.reporting configuration instance to view the properties that control how audit data can be used for reporting. Data is loaded from the SAS Infrastructure Data Server to the SystemData Caslib’s AUDIT table. The value of the refresh.schedule property determines how often audit data is loaded to CAS. The value is expressed in Cron standard syntax.

6. Click the pencil icon for sas.audit.reporting to enter edit mode. Modify the value of refresh.schedule to as follows, to load records every 10 minutes.

   

   Click Save to apply the change.

7. Sign out of SAS Environment Manager.

Generate activity

In this step, you will perform some activities that represent what a regular user may typically perform. You will log in, open and interact with a report that contains some sample data, and then log off. Later in this exercise, you will try to locate the audit trail for these actions.

1. First, replicate a failed login attempt by trying to log on to SAS Visual Analytics with an invalid username and password. For example, enter user sas001 as the username and innovate for the password.

   

2. Now log on as user christine with password Student1. When prompted, do not opt in to assumable groups.

3. Go to the SAS Content/Products/Visual Analytics/Samples folder and open the Retail Insights report by right-clicking and selecting Open. Browse the report.

   

4. Sign Christine out gracefully (sign out rather than just closing your browser).

View audit records with CLI

The next task is to try to find the audit trail that identifies the user action performed previously. Suppose an administrator would like to determine whether the Retail Insights report has been accessed and by whom. Acting now as the administrator (username ‘student’), you will use the sas-viya command-line interface’s (CLI) audit plugin to search the audit data that has been captured to find records signifying user actions.

The sas-viya CLI has been installed (with all plugins) in the workshop environment and can be run from the terminal.

1. Open a student terminal session from your remote client machine’s desktop.

   

2. Execute the following command to view the audit data accessible via the CLI:

   sas-viya audit list
   

   Hint: There are several options that can be added to the command to change the way audit data is displayed. Add the -h flag to view all available options.

3. To view login attempts, you can modify the command to filter the output to display only records generated by the SASLogon application. You can also add an additional filter to display failed actions only. The command below also sorts the output in chronological order.

   sas-viya audit list --application SASLogon --state failure --sort-by timestamp
   

   Do you see records for the unsuccessful login attempt made earlier?

   
   

   Yes. Failed login attempts appear as follows:

   ID                                     Time Stamp                 Action             State     User ID        Application   URI
   98469254-0bc1-412c-8c7d-4d4cd158d0ca   2024-02-21T09:45:54.636Z   login              failure   sas001   SASLogon
   

4. Modify the previous command to look for both unsuccessful and successful login attempts:

   sas-viya audit list --application SASLogon --sort-by timestamp 
   

5. Now run the following command to view all records generated by user christine.

   sas-viya --output text audit list --user-id christine --sort-by timestamp 
   

   Modify the command above as necessary to view Christine’s interactions with SASLogon.

   What were Christine's most recent log in and log off times?

   
   

   Add the --application SASLogon flag to the command. Successful login attempts are recorded with a state of Success. If you remembered to log off the session gracefully, you will see a sessionDestroyed action from SASLogon. If not, the record will not appear until the session timeout is reached. Note that all times are stored in UTC. They are converted to local time when data is loaded to CAS.

   293aa58-b7b5-4c31-92ac-230eff6392ff   2024-03-21T22:53:12.611Z   login                          success   christine   SASLogon      false
   40304ff4-c859-4994-95ac-7cf2add99e60   2024-03-21T22:53:12.616Z   SessionAuthenticationSuccess   success   christine   SASLogon      false
   c83c2906-8cfc-4cbe-a896-3a042036de78   2024-03-21T22:56:53.755Z   SessionDestroyed               success   christine   SASLogon      false
   

   Note, that if a user is logged on in multiple sessions simultaneously, a sessionSignature field in the properties of the SessionDestroyed record corresponds with a matching field in a SessionAuthenticationSuccess record, which is created immediately after a login. This provides a way to uniquely identify user sessions.

6. Now try location modifying the command to view records relating to Christine’s opening of the Retail Insights report.

   sas-viya audit list --application reports --user-id christine --sort-by timestamp --resolve-uri
   

   The --resolve-uri parameter will result in the retrieval and display of report names rather than URIs.

   Do you see information about the report that was opened?

   
   

   Information about report access is displayed because of the change made earlier to set audit.recording.level to a value of High.

   ID                                     Time Stamp                 Type       Action   State     Description   User ID     Application   Remote Address   Administrative Action   URI
   7b896481-3e30-411b-8ee0-c59a4bb5f007   2024-03-21T22:54:08.917Z   resource   read     success                 christine   reports       10.42.6.59       false                   /reports/
   3d2fcfe6-84d0-4249-9ef3-017fb8b112e7   2024-03-21T22:54:10.708Z   resource   read     success                 christine   reports       172.18.0.10      false                   /reports/
   f175421e-c215-49d4-b60e-cd2200558b90   2024-03-21T22:55:26.657Z   resource   read     success                 christine   reports       10.42.3.93       false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   84cbf06f-9e32-4dbd-827e-cec39e63c029   2024-03-21T22:55:26.844Z   resource   read     success                 christine   reports       10.42.3.93       false                   /Products/SAS Visual Analytics/Samples/Warranty Analysis.report
   63e5bf65-26e2-4cab-91d2-067906c1a6e4   2024-03-21T22:55:26.927Z   resource   read     success                 christine   reports       10.42.3.93       false                   /Products/SAS Visual Analytics/Samples/Water Consumption and Monitoring.report
   28e99742-5e48-4883-8c73-d53f500fb938   2024-03-21T22:55:28.469Z   resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   38f3846e-7547-4285-8668-834fcc34101b   2024-03-21T22:55:28.69Z    resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   c85567c1-495e-4e95-9dce-9fb1d2fbce88   2024-03-21T22:55:28.904Z   resource   read     success                 christine   reports       10.42.3.62       false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   d5803860-4da2-4e2e-bdc1-f0e9f01bbece   2024-03-21T22:55:53.165Z   resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   

7. Note that in the previous output, there are many records generated for the Retail Insights report. This is because the reports service creates records for the displaying of report thumbnails in addition to the action of opening the report.

   To distinguish between these two types of records, and to determine whether a user did actually open a report, an additional flag is required on the command.

   sas-viya audit list --application reports --user-id christine --sort-by timestamp --resolve-uri --details
   

   Adding the --details flag displays a Remote Address field in the output.

   28e99742-5e48-4883-8c73-d53f500fb938   2024-03-21T22:55:28.469Z   resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   38f3846e-7547-4285-8668-834fcc34101b   2024-03-21T22:55:28.69Z    resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   c85567c1-495e-4e95-9dce-9fb1d2fbce88   2024-03-21T22:55:28.904Z   resource   read     success                 christine   reports       10.42.3.62       false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   d5803860-4da2-4e2e-bdc1-f0e9f01bbece   2024-03-21T22:55:53.165Z   resource   read     success                 christine   reports       172.18.0.10      false                   /Products/SAS Visual Analytics/Samples/Retail Insights.report
   

   Note that one of the records contains a unique address for the Remote Address field. This is the internal IP address of the sas-folders service. This record is only generated when a user opens a report, providing a way to capture an audit trail.

8. Next, modify the command to try viewing information about CAS usage, including data that was accessed and actions that were performed. Some records are created by the ‘sas’ system user (an ‘access’ action rather than a ‘read’ action.). It would be necessary to adjust the filters on your CLI command to view these records.

   sas-viya --output json  audit list  --application cas --sort-by timestamp --user-id sas --action access --limit 10000|grep -B21 -A9 christine
   

   These records provide more information about CAS table access:

       {
           "action": "access",
           "application": "cas",
           "description": "Accessed the table",
           "httpContext": {},
           "id": "298c2781-7a92-48cf-ac09-d10d72369cd9",
           "links": [
               {
                   "href": "/audit/entries/298c2781-7a92-48cf-ac09-d10d72369cd9",
                   "method": "GET",
                   "rel": "self",
                   "type": "application/vnd.sas.audit.entry.resource",
                   "uri": "/audit/entries/298c2781-7a92-48cf-ac09-d10d72369cd9"
               }
           ],
           "properties": {
               "caslib": "Samples",
               "category": "access",
               "controllerHost": "controller.sas-cas-server-default.edu.svc.cluster.local",
               "controllerPort": "5570",
               "scope": "global",
               "sessionId": "07c12d46-8842-024e-86bf-d1ee3d6ce98f",
               "sessionUser": "christine",
               "table": "RAND_RETAILDEMO"
           },
           "state": "success",
           "timeStamp": "2024-03-21T22:55:30.905761Z",
           "type": "resource",
           "user": "sas",
           "version": 4
       },
   

   Remember that the default setting of Low for the audit.recording.level property does not capture successful Read actions; it only captures failed ones. This means that when the data is successfully accessed (read) by a user, an audit record is not captured by the Audit service. This is for performance reasons (as the amount of data captured/processed by the Audit service will grow significantly if successful Reads are captured), but it is important to understand (and discuss with your customer) the implications. If the setting is changed to High (you will not have access to change this setting in the workshop environment), then successful Read events, including those showing a user accessing a dataset, will captured and can be viewed using the CLI.

   What details can you see about CAS actions that were performed?

   
   

   Information about CAS actions that were executed (including those that always occur when you open a report) are created by user ‘sas’ and application ‘cas’. If you adjust your CLI command with these parameters, you will see records that look like the below:: If you then run the following command, more details will be displayed about the record:

   {
   "action": "load",
   "application": "cas",
   "description": "Loaded table",
   "httpContext": {},
   "id": "077b0250-957a-42c5-a9f4-b5a669359c41",
   "links": [ ...],
   "properties": {
     "caslib": "Workshop",
     "category": "change",
     "controllerHost": "controller.sas-cas-server-default.edu.svc.cluster.local",
     "controllerPort": "5570",
     "scope": "session",
     "sessionId": "028d460d-1c49-ea46-aaa3-8475b7afae0d",
     "sessionUser": "christine",
     "table": "RAND_RETAIL" },
   "state": "success",
   "timeStamp": "2024-01-18T08:36:54.026319Z",
   "type": "resource",
   "user": "sas",
   "version": 4
   }
   

   As you’ve now seen, the data captured by the Audit service can be useful when performing auditing. The configuration settings can be adjusted to capture more detailed data about user activity and data access. For some types of information, you can also use log data generated by SAS Viya in addition to audit records.

Access the User Activity Report

Now try viewing the default audit report in Visual Analytics.

1. Log on to SAS Visual Analytics as user student:Metadata0.

2. Open Products/SAS Environment Manager/Dashboard Items/User Activity Report.

   

3. Browse the tabs of the report to view activity. What are the recent failures? Who are the most active users?

4. Is Christine’s action of opening Retail Insights included in the data? Why/why not?

---