To enhance audit of root access, direct logon should be denied for the root account. It is recommended using only the su command to gain root privileges.
A word of warning: before you do this, make sure there is at least one active user account you can use to log in. If there isn't one active user account, you'll have to boot using the CDROM and undo the following step to regain root access.
To prevent direct login of the root account, edit the file /etc/default/login.
Look for the line CONSOLE=/dev/console. This line may be commented out. Make sure there is an uncommented version of this line that reads:
CONSOLE=
Restrict root's Search Path
To prevent the execution of Trojanized copy of utilities such as ls and ps hackers may have placed in a hacked directory structure, restrict root's search path to directories root owns, i.e., /sbin, /usr/bin and /usr/sbin. Edit root's .cshrc, .profile, and .login and remove the current directory specification (.) and restrict root's PATH to the above directories.
Set root's File Mask
Root's umask should be set to 077 or 027. Add the following entry in root's .profile or .cshrc:
umask 077
When this is done, all files or directories created by root will have rwx------ for 077 or rwxr-x--- for 027 file mask.
Click here for the rest of this 12-part tip.
