root can only access any box through it's console, and only the SA team has root.
Each of our boxes have there own PWD, kinda reassures you on which box our on
All passwords expire, except for root...which I feel we don't change often enough.
Our shop is a big advocate of sudo.
We have captured menus (that utilize sudo) in place on ALL systems for Datactr personnel for the following actions:
Create unix accounts (IS and User)
Change passwords (all except for root)
Deactivate IS and remove User accounts.
As mentioned before, all of these activities will leave an audit trail...and In our case they will also have an associated HelpDesk request #.
Remember when you had to do all of these tasks...sudo is your friend
We also utilize email (end-of-day) to help us manage other Audit policies, like the following:
invalid attempts at sudo (not valid sudo user)
invalid attempts at su (not part of SA team)
invalid login attempts 3 or >...these are Hourly.
(This is just an example of what can implemented, this list can go on-and-on)
got SOX?
In todays SOX climate, I find that all of these policies and associated audit trails are necessary.
If you don't have something similar in place, you may want thinking about how some of them could provide some benefit to your env..