According to my customer, they saw a user who doesn't exist in seosdb and /etc/passwd file in seos.audit file. <Date&Time> W FILE <the user> Write 202 4
Cause
The user doesn't exist but a process for the user was being run on the Linux box. Then, a file was accessed by the process.
Environment
RedHat Linux 7.2 CA PIM 12.8SP1 Endpoint
Resolution
Please stop the process and please check LADB. If the user exists in LADB, please remove the user from LADB. <rebuild LADB> #sebuildla -u <check LADB> #sebuildla -U