Abuse of system privileges
If you have reason to believe a person with root-level
authorizations is abusing their privileges, you should enable
auditing for that user to determine if they are performing
questionable actions. If the user has the root
password or the su authorization, event
``L. (Admin/Operator Actions)'' will show the actions done that
require high-level authorization.