Enabling audit for the sas user might prevent two of those lines from showing up (those for pam_tty_audit) because the status wouldn't be changing, but it would not change what is happening (su being run as root to switch to sas and perform some action or no action). The existing audit report might have some detail on what root is doing when switching to sas. Adding sas to the audit will probably increase other file usage as it will now start capturing sas tty activity as well as root. The /etc/pam.d/su file is what is being used, and it probably has a session line that is calling some other pam.d file like system-auth where the pam_tty_audit line is. You could do something like grep tty /etc/pam.d/* to find it and make changes.
... View more
