Preventing normal users from using the su command

I was asked how to force normal users to use the sudo command and to never allow them use the su command.  The reason given was for auditing purposes.  The sudo command logs “who” and “what”, whereas the su command does not.

Here is one solution to the problem.  Remove the execute permissions for group others.

$ sudo chmod o-x /bin/su

Now create a rule in /etc/sudoers to handle a case where a user, identified by the username thomas, might try to run “sudo su”.

Cmnd_Alias SU = /bin/su

thomas ALL=(ALL) !SU