cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
helannivas88
Obsidian | Level 7 helannivas88
Obsidian | Level 7

SAS Workspace server logs permission

Posted 07-12-2018 05:47 PM (1126 views)

Hi,

 

Currently in the SAS Platform , there are workspace server logs are getting generated in the server. The logs files are generated with the permission (644) i.e.  owner of the log file can read and edit the file and others can only read the file.

 

But we have a requirement that even the owner of the file should not edit the log file because if he/she edit the file, its tough to trace if admin wants to analysis the query what has been issued. Everyone should have only read only access to the file.

 

Even if we change the permission of the file for all user/group as read, then I don't think logs will be written to the file under workspace directory.

 

Is there any way to achieve this requirement?? Thanks in advance.

0 Likes
Reply
2 REPLIES 2
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: SAS Workspace server logs permission

Posted 07-13-2018 01:55 AM (1108 views)  |   In reply to helannivas88

Your question is highly illogical (https://www.youtube.com/watch?v=mdf25VY8RYA). How should a process write information to the log, when the owner of the process doesn't have write permission anymore?

 

I've enacted some kind of security by obscurity for this problem:

In every user's home directory is a directory logs, to which the WS logs are written (configured in the logconfig.xml of the workspace server), this directory has the following permissions:

drwx-ws---    2 root     group          4096 Jul 11 19:10 logs

The users can write there because of the write permission of their group, but they can't read the directory (they can't get a listing of filenames), making it rather hard (for the average user) to find their own logs and change them (which is still possible in principle).

A determined user might be able to retrieve logs by studying the entry in the logconfig.xml and then run a "brute force" attack by trying all possible names for a given log file, and once it's found, edit it.

 

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Reply
nhvdwalt
Barite | Level 11 nhvdwalt
Barite | Level 11

Re: SAS Workspace server logs permission

Posted 07-13-2018 06:49 AM (1097 views)  |   In reply to Kurt_Bremser

Hi @helannivas88

 

I agree with @Kurt_Bremser. The user must have write access to the file to be able to generate the file. Maybe to try and mitigate the risk, you could always move the logs to a secure location as soon as the SAS job finishes. This only leaves a window period from when the log was last written to, to the time being moved. E.g. put in a check to move the file as soon as the Workspace server PID dies.

 

But on another level, if you are dealing with cases where users are editing logs files as to alter the details of e.g. a query, then IMHO you are dealing with a case of fraud. If so, I would really suggest that you engage with your IT security to investigate. 

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • ‎07-12-2018 05:47 PM
  • 1127 views
  • 0 likes
  • 3 in conversation