Ensure that no two regular users are assigned or share the same account. Never give any users the same UID.
Think about how you can assign group IDs to promote appropriate sharing and protection without sharing accounts.
Avoid use of the root account for routine activities that can be done under a plain user ID. Disable root logins.
Think of how to protect especially sensitive files in the event that the root account is compromised. This protection includes use of removable media and encryption.
Restrict access to the /bin/su command, or restrict the ability to su to user root . Consider using sudo instead.
/bin/su to the user's ID when investigating problem reports rather than exploring as user root . Always give the full pathname when using su .
Scan the files /var/log/messages , /var/adm/sulog , and other appropriate log files on a regular basis for bad su attempts.
If your system supports kernel security levels or capabilities, consider using them to restrict what root can do when the system is running.
