RHEL 5

Have two events having difficulty capturing or reviewing with the audit
sub-system.

1. su - "non_existent_account". Using the nispom.rules provided by audit
1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent account.

2. Non-privileged user attempting to change the date/time on the server.
Of course the user fails to be able to do so, but am unable to capture
or review the event.

Not sure if these are audit rule configuration or search unknowns or
audit sub-system limitations.

Thank you
Art Henning (CSL) 
Enterprise IT Solutions
Northrop Grumman Corporation
art.henning@ngc.com