audit rules to help watch for potential threat?

Steve, Audit team, My colleagues and I were discussing ways we might better monitor for potential insider threat. We can easily see the commands our SAs run when they use sudo in front of the command, but if the sysadmin uses "sudo su -", then we don't have good visibility into the commands they perform while they are su'd unless there happens to be an audit rule monitoring the specific files/commands they are accessing/running. We've talked about possible way to improve our visibility in this situation, but most of the options we came up with are easily thwarted and/or would cause the logs to blow up to the point that it's difficult to spot nefarious activity. Some options we considered included having splunk monitor the shell history files, and possibly enabling ps auditing. Can you recommend any audit rules that would audit the interactive commands being issued by a sysadmin who is su'd as root without causing the logs to blow up? Any assistance you can provide would be much appreciated. Thank you, Karen Wieprecht The Johns Hopkins Applied Physics Laboratory