1) Do not allow direct root logins, except maybe from the console, if it is in a physically secure location. Only terminals marked as secure in the file
/etc/ttytab file will allow any user with UID = 0 to login directly. At all other terminals the user will need to login as a normal user and then su to root. Marking terminals as unsecured is a good idea, although not necessary.
Example /etc/ttytab:
console "/usr/etc/getty std.9600" sun
on local unsecure
ttya "/usr/etc/getty std.9600"
vt100 off local unsecure
ttyd0 "/usr/etc/getty std.19200" dialup
on unsecure
tty00 "/usr/etc/getty std.9600" unknown
off local unsecure
ttyp0 none
network off unsecure
2) Limit the users who are allowed to
su to root. If in the /etc/group file or NIS map the wheel group (group 0) is not a null user list, only the members listed are allowed to su to root, all other users will be denied, even when they enter the correct root password.
3) For new Linux systems, the file /etc/securetty controls remote root access.
If any entry has the value ttyp, then remote root logins
are possible. For newer SunOS and IRIX, systems, remote root access is
controlled by /etc/default/login. If the entry,
#CONSOLE=xxxxx is found, then remote root logins are
possible.
4) Log and monitor su activity.
su information can be logged in a separate file by editing /etc/syslog.conf:
#To log all un-successful, su failed, and root logins
to local file
auth.notice
/var/log/authlog
#To send only su failed, and root logins to the loghost
machine
auth.warning
ifdef(`LOGHOST', /var/log/authlog, @loghost)
On a regular basis monitor the su¬log by looking at the file, or having it mailed to you.
5) Use a program such as sudo in place of su to avoid giving people unrestricted root access.
Quoting from the README file from sudo version 1.3.1:
Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
