This seems to translate as the root user running the su command to become the user "sas", auditing being turned off (presumably because it's only turned on for root), then the session ends and auditing is turned on again.
May 18 10:01:20 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:20 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:21 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:21 sasoa01p su: pam_tty_audit(su:session): restored status to 1
Might be worth checking to see what processes are running as the root user, and/or the audit report (aureport --tty)
https://linux.die.net/man/8/pam_tty_audit
--
Greg Wootton | Principal Systems Technical Support Engineer