My company is going through the beautiful Sarbanes-Oxley audit at the moment.

One of the things i need to acheive is to prove that all logs are being reviewed, particular security related.

On Solaris, su automagically logs all su commands directly to /var/adm/sulog. I would like to do the same with my Linux machines but i've been querying thoroughly for this but can't find any documentation.

I know that sudo logs directly to /var/log/secure but I want the su command logged seperately as well. I've made modifications to syslog.conf, but there is no facility that allows for su.

Anyone have any ideas on how to accomplish this?

check out syslog-ng....an insanely configurable syslog on steroids.

http://www.balabit.com/products/syslog-ng/

But if su doesn't use the syslog() function, then syslog-ng won't help one bit... ;)

My version of su (from the shadow package, not coreutils) logs one message using the facility AUTHPRIV. My syslog configuration puts these messages into /var/log/auth.log (and not in any other file). Your syslog configuration should be putting them somewhere, though it's possible that it doesn't.

AFAIK the su from coreutils doesn't log anything. That may be your problem, although shadow is pretty much universal now. (To find out, you can probably try to su but provide the wrong password: shadow's su says "Sorry.", but coreutils' su says nothing, IIRC.)

(Another option would be to just remove the su program altogether, or remove execute permission from it, to force people to use sudo. But that's probably not a good solution.)