Customers security team reporting "User Removed from Privileged Group" log messages relating to BOSH deployed VMs within their security scans and are questioning what is causing these log entries. 

Log entries can appear in /var/log/audit.log and should look like:

type=SYSCALL msg=audit(1719350247.425:452274): arch=c000003e syscall=257 success=yes exit=8 a0=ffffff9c a1=55ccd719e540 a2=20902 a3=0 items=1 ppid=850 pid=4094985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="userdel" exe="/usr/sbin/userdel" subj=unconfined key="identity" ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

or 

type=DEL_USER msg=audit(1721851600.908:860): pid=8186 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=deleting user entries id=1012 exe="/usr/sbin/userdel" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" ID="bosh_3fb0796fe1084db"

Using 'bosh ssh' on the cluster creates an ephemeral user on the VM by BOSH for the duration of the bosh ssh session. This ephemeral user is deleted after the bosh ssh is over which causes the messages above.