If it's not your personal box at the institute, then the only people who should need the admin pass are the IT dept people, right? I mean, you might be trying to protect the box for the wrong reasons. For instance if it's data you're worried about, use encryption. Besides that, with physical access to the box it wouldn't be too hard to convince the box to boot anything they want or rip out the hd to "change" things. So apart from locking it up in a secure room, heres what I'm thinking of you can do:
- let BIOS have administration passwd
- set BIOS to boot from hd only
- remove cd/fd from the case
- clear out /etc/securetty so root will be denied a login from any tty , and make the file immutable,
- dont allow runlevel 1, single mode, rescue mode or whatever its called to the box can't be put down non-network mode. Maybe make rc0.d a symlink to rc6.d (reboot),
- disable the LILO prompt and make it directly boot one kernel,
- remove the CTRL+ALT+DEL sequence (inittab) and make sure sysctl is disabled (kernel compiletime option) so no one can reboot the box that way,
- set up any PAM service (also sudo) that allows root to make changes to have an extra passwd just to make it a 'lil bit harder,
- make sudo only allow you su root access,
- change yours and the root passwd weekly and and make all shadow passwd file immutable.
- watch out for the "regular" pitfalls wrt hardening the box like remote services allowing root access: read the LQ Security References
- talk to your institutes IT people. If there's need for restrictions, theyre really the ones who should implement those.
Again, since we're talking about a box with unrestricted physical access, these should be considered very, very weak protection measures and they DO NOT enhance security in an absolute way. Please think about what you're actually protecting.