topic Re: SAS Workspace server logs permission in Administration and Deployment

SAS Workspace server logs permission

helannivas88 — Thu, 12 Jul 2018 21:47:49 GMT

Hi,

Currently in the SAS Platform , there are workspace server logs are getting generated in the server. The logs files are generated with the permission (644) i.e. owner of the log file can read and edit the file and others can only read the file.

But we have a requirement that even the owner of the file should not edit the log file because if he/she edit the file, its tough to trace if admin wants to analysis the query what has been issued. Everyone should have only read only access to the file.

Even if we change the permission of the file for all user/group as read, then I don't think logs will be written to the file under workspace directory.

Is there any way to achieve this requirement?? Thanks in advance.

Re: SAS Workspace server logs permission

Kurt_Bremser — Fri, 13 Jul 2018 05:55:25 GMT

Your question is highly illogical (https://www.youtube.com/watch?v=mdf25VY8RYA). How should a process write information to the log, when the owner of the process doesn't have write permission anymore?

I've enacted some kind of security by obscurity for this problem:

In every user's home directory is a directory logs, to which the WS logs are written (configured in the logconfig.xml of the workspace server), this directory has the following permissions:

drwx-ws---    2 root     group          4096 Jul 11 19:10 logs

The users can write there because of the write permission of their group, but they can't read the directory (they can't get a listing of filenames), making it rather hard (for the average user) to find their own logs and change them (which is still possible in principle).

A determined user might be able to retrieve logs by studying the entry in the logconfig.xml and then run a "brute force" attack by trying all possible names for a given log file, and once it's found, edit it.

Re: SAS Workspace server logs permission

nhvdwalt — Fri, 13 Jul 2018 10:49:31 GMT

Hi @helannivas88

I agree with @Kurt_Bremser. The user must have write access to the file to be able to generate the file. Maybe to try and mitigate the risk, you could always move the logs to a secure location as soon as the SAS job finishes. This only leaves a window period from when the log was last written to, to the time being moved. E.g. put in a check to move the file as soon as the Workspace server PID dies.

But on another level, if you are dealing with cases where users are editing logs files as to alter the details of e.g. a query, then IMHO you are dealing with a case of fraud. If so, I would really suggest that you engage with your IT security to investigate.