I see the following in /var/log/auth.log (system is current Ubuntu).
myserver su[14993]: illegal option minimum_uid=1000
myserver su[14993]: Successful su for jeanbon by root
myserver su[14993]: + ??? root:jeanbon
myserver su[14993]: pam_unix(su:session): session opened for user jeanbon by (uid=0)
myserver systemd-logind[1931]: New session c253 of user jeanbon.
myserver systemd: pam_unix(systemd-user:session): session opened for user jeanbon by (uid=0)
myserver su[14993]: pam_unix(su:session): session closed for user jeanbon
myserver systemd-logind[1931]: Removed session c253.
Does it mean that user jeanbon has become root using the su command ? This user cannot use sudo and tells me he doesn't know the root password. There are many similar logs in rapid succession, for 4 different users at various times.
