Audit Record Maintenance
In this exercise, you will modify the configuration to implement audit record archiving and purging.
Archive location preparation
A location has already been set up as a destination for your audit record archives in the workshop environment. This is typically an additional manual post-deployment step that requires an administrator to attach a PVC to the sas-audit pod.
- View mount on the audit pod:
kubectl describe po -l app=sas-audit | grep -A3 audit-archive-volume
Expected output:
/archive from audit-archive-volume (rw) /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts from security (rw,path="cacerts") /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private from security (rw,path="private") /security from security (rw) -- audit-archive-volume: Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace) ClaimName: audit-archive-pvc ReadOnly: false
At what location is the archive volume mounted in the audit pod?
The PVC is mounted at
/archive
.
Archive audit records
-
Log on to SAS Environment Manager as
Student:Metadata0
and go to the Configuration area. -
From the list of services, select Audit service.
-
Click the pencil/edit icon for the
sas.audit.archive.process
configuration instance. This is one of several configuration instances that control the behavior of audit record archival and purging. - Make the following edits to the configuration:
- Specify a value of
local
for the storageType property. - Specify a value of
1h
for the audit.retention property. - Specify a value of
*/5 * * * *
for the scanSchedule property to have the process run every 5 minutes.
- Specify a value of
-
Click Save.
- Now edit the
sas.audit.archive.system
property as follows:- Specify
/archive
as the value for the storage.location.destination property.
- Specify
-
Click Save to apply.
-
When the time specified in your cron expression is reached, the archive process commences and records will start to be written to the PVC (and removed from the Infrastructure Data Server). View the archived records directly from the main cluster node by running:
ls -R /srv/nfs/kubedata/audit-archive-pvc-$(kubectl get pv|grep audit-archive| awk '{print $1}')/archive/provider/2024 |grep -A30 /audit
You will see a list of some directories containing .arc files:
/srv/nfs/kubedata/gelcorp-audit-archive-pvc-pvc-5cd63491-baed-4368-b937-c9dc5d4369e7/archive/provider/2024/2/16/audit: 034ef97b-8e64-4ad5-8bf9-9c1598a3fae9.arc 11b5a9fe-dad8-4a40-bcfd-a9148f86a46b.arc 17f1fa49-f463-4a14-ad4e-7508fbf50609.arc 18b6ff40-174f-4198-aab3-1a0249be1b77.arc 23941ee6-e25b-404d-951d-f0ae42a70f4f.arc 3a2e68d5-97fa-4f3a-8547-bd03c9eecad9.arc 53d43268-6426-4453-9921-b07d630c693c.arc 58c1e86a-970d-4a70-a213-d7d30e919c6b.arc 63ca1338-3d5a-435b-93b4-5cfae44bffbf.arc 6ab6a8d8-d93c-48ea-9b32-4d9ca182f785.arc 7382f50d-a633-440a-863a-00a121497114.arc 8f90173f-40f7-4a5e-a62d-87c49eae74ea.arc a45d01fc-30e7-4078-b87c-e86a8b4ad8ef.arc a6bd926b-ca5d-4db1-9dc3-cf4a78ffaa49.arc c31976f4-6bcb-4aba-84ec-f3d05fada8d4.arc c41f3160-19e5-4b62-b013-476d4c29ab4f.arc df124934-83de-465b-a700-bdcaeb5afbb1.arc e6da5a2d-9440-4244-922d-56cab2e7b54d.arc ed468dee-6f25-419a-bb2a-2318154e8150.arc
Each .ARC is a JSON archive containing 1000 audit records (as defined by the
batchSize
configuration property). If desired, you may open one of the files in a text editor to inspect it.The files can be copied to another location (e.g. somewhere that gets backed up) and/or deleted, noting that they are owned by root (sudo access required).
Purge archived records
Archived audit records can be purged once they reach a defined retention period to keep the PV storage well-maintained. In this exercise, you will set up the purging of archived audit records.
- There are two relevant configuration instances to set up the purging of archived audit records. First, edit the
sas.audit.archive.process
instance as follows:- Specify a value of
30m
for the audit.retention.in.archive property.
- Specify a value of
- Edit the
sas.audit.purge
as follows:- Ensure that the enabled switch is turned on
- Specify the scanSchedule as
*/5 * * * *
In the same way that audit records are archived to the attached storage volume according to the schedule defined in the
scanSchedule
property, the purge process will remove record from the defined archive volume path per the schedule.Note: If backups of archived audit records (or PVCs) are required, be sure to take them between scheduled purges.
-
After 5 minutes, archive files containing records older than 30 minutes will be removed from the archive location by the purge process. Verify by running the following:
# After 5 minutes, this command will show old archives being removed: ls /srv/nfs/kubedata/audit-archive-pvc-$(kubectl get pv|grep audit-archive| awk '{print $1}')