RHEL 5

Have two events having difficulty capturing or reviewing with the audit sub-system.

1. su - "non_existent_account". Using the nispom.rules provided by audit 1.5.6-1. Using various ausearch parameters, am unable to find a corresponding failure when attempting to "su" to a non-existent account.

2. Non-privileged user attempting to change the date/time on the server. Of course the user fails to be able to do so, but am unable to capture or review the event.

Not sure if these are audit rule configuration or search unknowns or audit sub-system limitations.

Thank you
Art Henning (CSL)
Enterprise IT Solutions
Northrop Grumman Corporation
art.henning@ngc.com