How to audit failed attempts to su?
Issue
- Enabled auditing with the NISPOM rules. Also setup a watch for the use of su. "-w /bin/su -p x -k su-used". While running "ausearch -ts today -i -k su-used", giving the record for the failed attempt to su to root, but can't tell from the record that it is a failed attempt. It has "success=yes".
Environment
- Red Hat Enterprise Linux 5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.