By wanting to disable su, I am assuming that you are allowing direct root logins to the host. This is a horrible idea.
A more secure approach is to require your administrators to have a named account on the system, forcing them to log in, preferably using ssh, which is configured to log the connection in syslog.
That user must then su - to become root, enterring the password through a secure connection, also proving who it was who performed the account. Thus you will have identity, authentication, and authorisation as well as accountability.
The best way to limit who can use su is via the /etc/pam.conf, however you should add the "pam_hpsec.so.1" option as an additional directive and under /etc/default/security, find the "SU_ROOT_GROUP" and set a "wheel" group. Users must be in this group tu su to root.
Here are the pam.conf directives relating to su.
su auth required libpam_hpsec.so.1 bypass_setaud
su auth required libpam_updbe.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
su account required libpam_hpsec.so.1
su account required libpam_updbe.so.1
su account required libpam_authz.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
Note, in my case, there is also pam_authz and pam_krb5, as non-local users authenticate against a windows AD using Kerberos, and authorization is controlled with the Pam_AUTHZ module limiting local login access to members of a specific domain group.
If you weren't planning on implementing something like AD authentication, you could also use pam_authz to specify that users in the wheel group are the only ones allowed to use the su command. Same pam.conf entry as above. In the /etc/opt/ldpaux/pam_authz.policy file, you would hae an entry like this:
allow:unix_group:wheel
This would allow you to keep the IAAA functionality of su for admins, but remove access for all other local users.
Don
