Ensure that no two regular users are
assigned or share the same account. Never give any users the same
UID.
Think about how you can assign group IDs to promote appropriate
sharing and protection without sharing accounts.
Avoid use of the root account for routine
activities that can be done under a plain user ID. Disable root
logins.
Think of how to protect especially sensitive files in the event that
the root account is compromised. This protection
includes use of removable media and encryption.
Restrict access to the /bin/su command, or
restrict the ability to su to user
root. Consider using sudo
instead.
/bin/su to the user's ID when
investigating problem reports rather than exploring as user
root. Always give the full pathname when using
su.
Scan the files /var/log/messages,
/var/adm/sulog, and other appropriate log files
on a regular basis for bad su attempts.
If your system supports kernel security levels or capabilities,
consider using them to restrict what root can do
when the system is running.
