implementing audit trails in a sas environment suhail … groups...suhail wali audit trail an audit...

Implementing Audit Trails in a SAS Environment

Suhail Wali

Audit Trail

An audit trail (or audit log) is a security-relevant chronological record, set of records,or destination and source of records thatprovide documentary evidence of thesequence of activities that have affected atany time a specific operation, procedure, orevent.

- Wikipedia -

Where can we find audit trails?

• Financial Transactions

• Scientific research

• Health care data transactions

• Communication

Leveraging SAS to implement Audit trails

http://support.sas.com/documentation/cdl/en/lrcon/67227/HTML/default/viewer.htm#n0ndg2uekz7qkbn1caoki2hzqx8l.htm

Single source of updates

Digital Anarchy

Audit Trail File

• Created by Base SAS engine

• Same libref and member name as the data file

• Data type - AUDIT

• Replicates variables in the data file and adds twomore types

- _AT*_ variables – automatic variables storingmodification data

- User created variables for storing modificationdata

_AT*_ Variable Description

_ATDATETIME_ Stores the date and time of a modification

_ATUSERID_ Stores the logon user ID that is associated with a modification

_ATOBSNO_ Stores the observation number that is affected by the modification

_ATRETURNCODE_ Stores the event return code

_ATMESSAGE_ Stores the SAS log message at the time of the modification

_ATOPCODE_ Stores a code that describes the type of modification

_AT*_ variables

Code Modification

AL Auditing is resumed

AS Auditing is suspended

DA Added data record image

DD Deleted data record image

DR Before-update record image

DW After-update record image

EA Observation add failed

ED Observation delete failed

EU Observation update failed

_ATOPCODE_ Values

libname space "S:\audit_trail";

Data space.audit_sw;input var1 var2;datalines;10 10020 20030 30040 40050 500;

Run;

proc datasets lib=space;audit Audit_sw;initiate;

run;

/*User 1 actions*/proc sql;

insert into space.audit_sw values(60,600);delete from space.audit_sw where mod(var1,20)=0;update space.audit_sw set var2=999 where var1=10;

quit;

Example

/*Extract audit report*/

proc sql;create table space.audit_report as select * from space.audit_sw(type=audit);

quit;

Example Contd..

/*User2 actions*/

data audit_ks;input var1 var2;datalines;100 239200 456;

run;

proc append base=space.audit_sw data=audit_ks;run;

proc sql;insert into space.audit_sw values(230,780);delete from space.audit_sw where var1=20;

Quit;

Example Contd..

/*Extract audit report*/proc sql;

create table space.audit_report as select * from space.audit_sw(type=audit);

quit;

Example Contd..

Audit operations

• Initiate

• Suspend

• Resume

• Terminate

proc datasets lib=space;audit Audit_sw;initiate;

run;

Considerations

• Performance considerations

• Audit trail not preserved on files - copied- Moved- sorted in place- replaced- transferred to other Operating Environment

• Preserving audit trails when migrating data files(CEDA)- Migrate

Benefits

- Preservation of Updates

- No special programming requirements

-Flexibility of adding user variables

- Free with Base SAS license

Thank You

Suhail Wali

Ph: 0421 836 020

Email : [email protected]

implementing audit trails in a sas environment suhail … groups...suhail wali audit trail an audit...

Documents