How to PIM Endpoint so it won't leave any audit log for a specific account.
Running below selang command
eu test1 audit(none)
does not remove login records in the login log.
Release : 12.8
Component : PIM Endpoint
The audit mode for the access is determined by 2 factors, one is 'user' and the other is 'resource'. If the accessing user has audit enabled, the access by the user is audited. If the resource rule has audit enabled, the access is also audited.
So, even if audit(none) is set for the user, the access will still be audited if the resource rule for the access has audit enabled.
With regards to login log, the corresponding resource is LOGINAPPL and TERMINAL rule. If either of them has audit(s) enabled, login log will be recorded, even if the user audit is set to none.
Notice the reason code from the audit log. For example
07 Feb 2022 09:47:17 P LOGIN root 59 2 10.229.20.186 SSH
2 in above is reason code and it means
2 User audit mode requires logging
Running 'seaudit -t' command show the list of description of reason code.
We can filter login log for specified conditions to achieve the objective in this case. Please refer