Administering SAS Web Applications |
Overview of Auditing |
SAS Web applications and other SAS middle-tier services provide auditing features. Depending on the application and its configuration, these auditing features can record all actions performed both by the direct users of the system and by the system itself. Some applications might provide a more complete audit, detailing not only the actions that are performed but also the states of the objects that are affected by those actions.
There are two primary ways in which auditing occurs:
basic auditing with records that are logged to a file
more detailed auditing with records that are written to a relational database
All SAS environments can be configured to use the basic auditing via logging that is available through services in the SAS Web Infrastructure Platform. Alternatively, those SAS environments that include SAS Shared Services are configured by default to use the detailed auditing via a relational database.
Configure the Audit Log File |
The services in the SAS Web Infrastructure Platform provide default auditing using Apache log4j standards. The context com.sas.svcs.audit can be configured to use valid appenders. The context can also apply standard logging configuration rules that are defined for the SAS Web Infrastructure Platform Services application (sas.wip.services9.2.ear/sas.wip.services.war).
You can change the logging configuration for the SASWIPServices9.2 Local Services definition in the Foundation Services Manager plug-in in SAS Management Console. For more information about setting up logging contexts for Web applications, see Administering Logging for SAS Web Applications.
To set up the auditing context, follow these steps:
Log on to SAS Management Console.
On the Plug-ins tab, navigate to Environment Management Foundation Services Manager SASWIPServices9.2 Local Services Core Logging Service.
Right-click Logging Service and select Properties. The Logging Service Properties dialog box appears.
Select the Service Configuration tab and then click Configuration. The Logging Service Configuration dialog box appears for the application.
On the Contexts tab, click New and specify a logging context with the name com.sas.svcs.audit.
From the Priority list box, specify the logging level that you want. The log4j auditing occurs at the INFO level. Therefore, you must specify either INFO or DEBUG in order to get audit messages.
Specify the outputs that you want for the audit messages by moving one or more outputs from the Available list box to the Selected list box.
Note: You can create a new output by selecting the Outputs tab in the Logging Service Configuration dialog box and clicking New. Then enter the information for the new output. Help is available from the dialog box.
Click OK to exit from each window.
To enforce the changes that you have made, restart the SAS Web Infrastructure Platform Services application.
Auditing That Uses Relational Tables |
SAS environments that include SAS Shared Services provide more sophisticated audit retrieval and reporting capabilities, particularly for those applications with more regulatory or compliance requirements. In the relational database configuration, audit records are stored in a database named SharedServices. The records are written in three relational tables: SharedServices.SAS_AUDIT, SharedServices.ACTION_EXECUTOR, and SharedServices.SAS_AUDIT_ENTRY.
Enable Auditing for User Authentication Actions |
The core auditing features in the middle tier can be configured to record information about successful user logon actions, failed logon attempts such as those attributed to incorrect credentials, and user logoff actions. By default, auditing of user authentication and session termination is disabled in a standard configuration.
To enable auditing of user authentication, follow these steps:
Open the following file in a text editor:
SAS-installation-directory\SASWebInfrastructurePlatform\9.2\Static\wars\
sas.wip.services\WEB-INF\spring-config\aop-config.xml
Remove the comments from the following lines:
<!-- <bean class="com.sas.svcs.authentication.impl.aop.FailedLogonAuditAdvice"> <property name="auditRecorder" ref="auditRecorder" /> </bean> <bean class="com.sas.svcs.authentication.impl.aop.SuccessfulLogoffAuditAdvice"> <property name="auditRecorder" ref="auditRecorder" /> </bean> <bean class="com.sas.svcs.authentication.impl.aop.SuccessfulLogonAuditAdvice"> <property name="auditRecorder" ref="auditRecorder" /> </bean> -->
Save your changes and rebuild the EAR file for SAS Web Infrastructure Platform Services (sas.wip.services9.2.ear). See Rebuilding the SAS Web Applications.
Note: Subsequent upgrade activities can overwrite this file. For example, if you later install a maintenance release that includes aop-config.xml, then you must repeat this procedure.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.