How to disable audit log for specific account
search cancel

How to disable audit log for specific account

book

Article ID: 234645

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

How to PIM Endpoint so it won't leave any audit log for a specific account.
Running below selang command
  eu test1 audit(none)
does not remove login records in the login log.

Environment

Release : 12.8

Component : PIM Endpoint

Resolution

The audit mode for the access is determined by 2 factors, one is 'user' and the other is 'resource'. If the accessing user has audit enabled, the access by the user is audited. If the resource rule has audit enabled, the access is also audited.

So, even if audit(none) is set for the user, the access will still be audited if the resource rule for the access has audit enabled.

With regards to login log, the corresponding resource is LOGINAPPL and TERMINAL rule. If either of them has audit(s) enabled, login log will be recorded, even if the user audit is set to none.

Notice the reason code from the audit log. For example

07 Feb 2022 09:47:17 P LOGIN root 59 2 10.229.20.186 SSH

2 in above is reason code and it means
    2   User audit mode requires logging
Running 'seaudit -t' command show the list of description of reason code.

We can filter login log for specified conditions to achieve the objective in this case. Please refer

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-8-01/reference/configuration-files/audit-cfg-file-filter-audit-records.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-8-01/reference/configuration-files/audit-cfg-file-filter-audit-records/audit-cfg-file-login-and-logout-events-filter-syntax.html