Some additional thoughts:
Since the log is written by the workspace server process, and that process belongs to the individual user, any location for a log must be user-writable. That means that no matter what you do, a user can also remove such a log, as long as (s)he is able to determine the name of the log.
I have tried to throw as much of an obstacle into this by
creating a logs directory in the home directories of the users
have this directory owned by root and the primary group of the user
set the permission to drwx-w----
The logconfig.xml has been added a new appender:
<!-- Rolling log file with default rollover of midnight -->
<appender class="RollingFileAppender" name="TimeBasedRollingFile">
<param name="Append" value="true"/>
<param name="ImmediateFlush" value="true"/>
<rollingPolicy class="TimeBasedRollingPolicy">
<param name="fileNamePattern" value="$HOME/logs/XXXXXXXXXXXXXXX_%d_%S{pid}.log"/>
</rollingPolicy>
<layout>
<param name="HeaderPattern" value="Host: '%S{hostname}', OS: '%S{os_family}', Release: '%S{os_release}', SAS Version: '%S{sup_ver_long2}', Command: '%S
{startup_cmd}'"/>
<param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u -
%m"/>
</layout>
</appender>
and two loggers have their level set to Info:
<!-- Application message logger -->
<logger name="App" immutability="true">
<level value="Info"/>
</logger>
<!-- IOM protocol message logger -->
<logger name="IOM" immutability="true">
<level value="Info"/>
</logger>
This gives me all actions with individual timestamps in the log; if I want, I can put on my superuser persona and watch a user's actions "live" by repeatedly tailing the log file. The users could only remove (or edit) a log file if they knew the process number and the details of this structure.
Although this is just a case of security by obscurity, it provides at least some level of safely recording all user actions done through SAS.
Note this was implemented before the advent of Environment Manager.
... View more