The Question is:
Recently we applied a patch to our POP server in order to update the "last
non-interactive login time" field (UAI$_LASTLOGIN_N) in UAF everytime a user
remotely downloads his e-mail.
It is done using sys$setuai function and works well, but this operation is
reported (obviously) by the audit system as a SYSUAF_MODIFY event.
Is it possible to allow a process (i.e. the POP server) to perform this
operation without being audited? Strictly speaking, even loginout.exe modifies
sysuaf, but it isn't audited.
The Answer is :
There is no mechanism to exclude a particular source of an event marked
for auditing, though you can use the auditing tools to filter out those
events that you do not wish to track when using the tools to create an
auditing data file that is a subset of the active auditing file.