Limit su attempts

Question

Is there a way to limit the number of su attempts from a user?

For example, malicious user gets into a user login that has su access. Repeatedly runs su to try to gain superuser access.

This example would be a rare occurrence but it still seems like a good idea to add protection from.

Attempting Faillock:

I added the following lines to /etc/pam.d/su to test it:

auth        required       pam_faillock.so preauth silent audit deny=1 unlock_time=120
auth        sufficient     pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so authfail audit deny=1 unlock_time=120
account     required       pam_faillock.so

However, it doesn't lock anyone out. I was monitoring via faillock and I saw:

# faillock
user:
When                Type  Source                                           Valid
root:
When                Type  Source                                           Valid
2015-01-30 20:55:05 TTY   pts/1                                                V
2015-01-30 20:55:20 TTY   pts/1                                                V

However, this entry is under root (so would it lock down the root user for everyone?) and this entry has no effect on su.

Answer 1

A little Googling results in a link to this documentation:

Task: Set Maximum Number of Login Failures

    The -m option is allows you to set maximum number of login failures after 
    the account is disabled to specific number called MAX. Selecting MAX value 
    of 0 has the effect of not placing a limit on the number of failed logins.
    The maximum failure count should always be 0 for root to prevent a denial of
    services attack against the system:
    # faillog -M MAX -u username
    # faillog -M 10 -u vivek

and this documentation:

faillog    
faillog -u <user> -r
faillog -u oracle -m 0
/var/log/faillog
faillog -u <user> -m -1

However executing faillog on CentOS7. According to this Q&A pam_tally2 replaces the faillog command.

deny=n
    Deny access if tally for this user exceeds n.