Running a platform without auditing is a bit like playing sport with paying attention to the score (and please spare me the jokes about The Wallabies' efforts at the Rugby World Cup). The platform will run, but is it being used as intended, with the right people performing the right activities? How does it stack up in terms of efficiency and fitness for purpose? Auditing helps determine if the platform is running as expected and being used appropriately, or if there is anything that needs to be addressed before it becomes problematic. Are changes necessary to improve usability, performance, or security? Keeping an eye on things and taking preemptive action is good practice. SAS Viya 3.4's event-driven architecture offers the capability for effective auditing of system resources, report activity, data access, and more. In this post, we'll look at the options available for a fairly common auditing request; how can admins audit user access? How can we identify which users are logging in, how long they are staying logged in for, and at what times of the day?
Information about logins and user sessions are captured in the security_audit tables in the AUDIT schema in the SAS Infrastructure Data Server. The default behaviour, as defined in the security type properties in the sas.audit.record configuration instance, is to capture read failures only on security actions.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
However, there is another event action more useful than read when trying to audit user login attempts; the login event, which will provide information about (successful and failed) login attempts coming from the SASLogon application. This information will be captured by default without the need to modify any of the default properties in sas.audit.record.
Let's look at an example. Below, we use the sas-admin CLI's audit plugin to see that user Ahmed logged in at 07:31 AM on the 25th of October (note that the timestamp is in UTC in PostgreSQL, but is converted to local time when a SAS Operations Infrastructure ETL job loads it to the AUDIT table in CAS).
/opt/sas/viya/home/bin/sas-admin --output text audit list --user-id Ahmed --sort-by ~timeStamp
ID Time Stamp Action State User ID Application URI
c72c4533-886d-493b-9ef2-1dcff4ff4674 2019-10-25T07:57:54.776Z SessionDestroyed success Ahmed SASLogon
bb748c54-6cb3-4edf-adbe-fce516c5786c 2019-10-25T07:31:21.014Z update success Ahmed reportImages /reportImages/jobs/4d7a64d8-1839-4d5b-a562-b140cdfc1f22/state
caf1264d-4d37-444b-af45-4e339edc5dc6 2019-10-25T07:31:20.999Z create success Ahmed reportRenderer /reportRenderer/images
713e18ac-34db-4115-92aa-35f7662b0909 2019-10-25T07:31:20.649Z read success Ahmed reportData /reportData/commons/settings
c5df6523-eb4f-42fe-b89b-fbdcc73d1c56 2019-10-25T07:31:20.298Z create success Ahmed reportPackages /reportPackages/jobs/b7325111-3f5a-4659-84bf-d1e59bdfbc74
e8578d9f-73b1-4dea-a94e-048a9eb9a72d 2019-10-25T07:31:20.030Z create success Ahmed reportData /reportData/jobs/61c55ce8-2b0a-4989-a14f-e1a5395b3b86
5aec043f-c2f8-46b6-a758-bc040abf1f69 2019-10-25T07:31:17.990Z create success Ahmed reportData /reportData/metadataSupplements
fc7c64d8-bf75-40f5-a851-4afa5dc29beb 2019-10-25T07:31:16.141Z create success Ahmed reportImages /reportImages/jobs/4d7a64d8-1839-4d5b-a562-b140cdfc1f22
f9ad69f9-22b8-447b-82c2-45ebeb462409 2019-10-25T07:31:14.523Z read success Ahmed reportData /reportData/commons/settings
5dc96422-833c-496c-bd65-64659faf76d0 2019-10-25T07:31:08.641Z read failure Ahmed preferences /preferences/preferences/@currentUser/FormatLocale.DefaultLocale
5da5acf5-4d6b-47b3-9da5-c30ea7c3d946 2019-10-25T07:31:08.096Z read failure Ahmed preferences /preferences/preferences/@currentUser/_hc_xx_
4a4c470f-afe9-469c-af3a-3fdb6d5f951e 2019-10-25T07:31:07.082Z read failure Ahmed preferences /preferences/preferences/@currentUser/FormatLocale.DefaultLocale
b66f6eed-8ae8-47a3-8d3a-60e23df5cec9 2019-10-25T07:31:05.463Z login success Ahmed SASLogon
When a user logs off Viya gracefully, a SessionDestroyed action is registered indicating the termination of the session as shown above.
If a user closes the browser instead of logging off, the SessionDestroyed does not get created in the audit records until the session times out. Session timeout is configurable by following instructions in Set Time-out Interval for SAS Viya Web Applications in SAS Viya 3.4 Administration: Configuration Pr....
Some applications generate their own audit data when a user logs in. For example, SASStudio V creates a Compute server session when a user logs in, and an audit record similar to the following is captured.
/opt/sas/viya/home/bin/sas-admin audit list --user-id Ahmed --sort-by ~timeStamp --details --application compsrv
ID Time Stamp Type Action State Description User ID Application Remote Address URI
1967127d-87da-4656-922f-ed3b3bf1733d 2019-10-23T11:47:42.122Z resource start success 92ce6360-b23c-485b-94dc-48e5bd681bdd:https://intviya02.race.sas.com:38934/compute/servers/92ce6360-b23c-485b-94dc-48e5bd681bdd Ahmed compsrv
When the compute session is terminated, an audit record from the compute application is captured indicating the deletion of the session (the Description field displays the ID of the session).
/opt/sas/viya/home/bin/sas-admin audit list --user-id Ahmed --sort-by ~timeStamp --details --application compute
ID Time Stamp Type Action State Description User ID Application Remote Address URI
5ebd10ca-b4e1-4e7e-b71d-2874bfa672ca 2019-10-23T07:50:36.257Z resource delete success Deleted compute server 92ce6360-b23c-485b-94dc-48e5bd681bdd Ahmed compute /compute/servers/92ce6360-b23c-485b-94dc-48e5bd681bdd
c9a1fc4a-48ea-4afa-a456-45e890571e42 2019-10-23T07:50:36.132Z resource delete success Deleted compute server session 92ce6360-b23c-485b-94dc-48e5bd681bdd-ses0000 Ahmed compute /compute/sessions/92ce6360-b23c-485b-94dc-48e5bd681bdd-ses0000
User sessions are assigned a unique session signature when they are established. The session signature (session_sig) property links the login event with the corresponding SessionDestroyed event. However, the session signature is not visible when surfacing audit records using the CLI. This information is recorded in TSV files in the EV Datamart directory (/opt/sas/viya/config/var/lib/evmsvrops/evdm/application/security) on the Viya server. When a session is started:
2 34dca2cc-fcc9-4b6d-8c72-32d2958c9320 security application/vnd.sas.event.security 2019-10-15T06:21:18.973000+00:00 sasadm sas-deployment-id:dml5YQ==,sas-event-source:U0FTTG9nb24=,session_sig:NTNlZmNlZGE= security action:bG9naW4=,actionState:U1VDQ0VTUw==
Note the session_sig value. When the session ends, another record will be generated in the same file, referring to the original signature (orig_session_sig) for that session.
2 b41e8882-192d-4657-8fee-4cb04a96abda security application/vnd.sas.event.security 2019-10-15T07:02:30.282000+00:00 sasadm orig_session_sig:NTNlZmNlZGE=,sas-deployment-id:dml5YQ==,sas-event-source:U0FTTG9nb24=,session_sig:NDk0MGZmNw== security action:U2Vzc2lvbkRlc3Ryb3llZA==,actionState:U1VDQ0VTUw==
Fortunately, the legwork for extracting this information has already been done. Session information is parsed from these files and stored in the authentications subject table (/opt/sas/viya/config/var/lib/evmsvrops/evdm/subjects/authentications.sas7bdat), providing a really nice way to audit user session information.
In the example below, several user sessions are listed, each with a datetime stamp of the login action, the session signature, and the duration of the session (in seconds ).
Note that user Sasha’s session has a duration of 0.00 seconds. This represents an active user session, indicating that Sasha has not yet logged out (SessionDestroyed action has not occurred for the session with this signature).
A job runs every 5 minutes to update this table, and another job runs daily to clear records older than 10 days.
We can query this table to get some more insights about user sessions. For example, a question to me posed recently was "How do I determine who was logged in at a certain time"?
A basic SAS program can be executed to answer that question.
/* Specify query time below in datetime. format */
%let qrytime='15OCT19:08:39:18'dt;
libname evdm '/opt/sas/viya/config/var/lib/evmsvrops/evdm/subjects' access=readonly;
data activesessions;
set evdm.authentications;
endtime=datetime+duration;
format datetime datetime.;
format endtime datetime.;
where &qrytime between datetime and &endtime or (&qrytime >= datetime and (duration=0 and session_sig ne '');
run;
proc print data=activesessions; run;
Note that this code sample is for demonstration purposes only, and there may be more efficient methods to extract the required user session information from the authentications subject table.
For more information on auditing in Viya, please refer to SAS Viya 3.4 Administration: Auditing.
Thank you for reading. I hope the information provided in this post has been helpful. Please leave a comment below to share your own experiences.
Available on demand!
Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.