Know what everybody is doing as root--even if it is authorized.  If it
is unauthorized you will be able to track back to the time the breach
occurred.