Sometimes, depending on the situation.

My company retains all e-mails for at least 5 years, for audit purposes. But if some troublemaker were to e-mail child porn to an employee, we'd need to remove that from the audit records, because the laws against possessing child porn don't have an exception for corporate audit records.

So there's essentially always some account with the power to erase things from the audit records.

No. Never. While it’s expected to have a “root” account exempting from logging serves no honest purpose.

Of course not. It's the exact opposite and every single person here knows this.

From a an old hackers perspective disabling shell history can have positive security implications. But in today's 'cattle not pets' systems mentality I'd expect all actions to have a log and not having that seems fishy to me. Keeping logging infra secure has a dubious, the log4j fiasco comes to mind. I'm not a fan of regulation for most things, but I think we need a higher cost for data leaking since security is an afterthought for many orgs. My personal leaning is to be very choosy about who I'll do business/share data with.

> “We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”

From the previous post, they had auditor roles built in that they purposely chose to go around

It's the same as domain admin in active directory.

You always need it to setup the system initially.

It's like root on Linux: it's an implementation detail that it must be possible.