Or even better, find out what they actually need (surely they don't need every possible thing on the system as root), change root password thus disabling the use of 'su' from them and make them use 'sudo' instead, after having configured 'sudo' for each of them in such a manner that they can only run the specified, really needed commands with it (no shells, su, sudo or anything that grants them root shell..it might take some time thinking but it's worth it, really). Password of root should only be known to one person, the rest should just use sudo. Even that one person who knows root password should use sudo instead of that, and it's not a bad idea to lock root account too, to prevent misusage. Using sudo is surely sufficient; spending some time with it is less wasted time than spending some time with thinking who just executed something stupid on your system as root, if there are 100 people who knew root password and they all say they don't know about it.
EDIT: sudo's logging is a handy feature, but know that if the folks have root access, you can't save the logs on the same machine. Have the logs saved onto another machine that is not accessible for the root folks, only you. This way they can't hide their traces so easily.
Last edited by b0uncer; 08-09-2007 at 08:15 AM.