It would be good to restrict root access to make it a lot harder to login as root.
auth required pam_wheel.so in /etc/pam.d/su will make it so only users in the
root group can use
su. This can prevent a compromised system user (e.g. the
whonixcheck user) from switching to another user and/or gaining root. The user
user can be added to the
root group so they can use
su normally or they can also be restricted and will have to use
Emptying the /etc/securetty file can prevent someone from logging in as root from a tty or console.
While not necessarily helpful for just the root account, we can increase the number of hashing rounds when hashing passwords by adding
rounds=(number) to the end of the pam_unix.so module in /etc/pam.d/common-password. E.g.
rounds=65536. The higher the amount of rounds, the longer it takes to login and set passwords. 65536 rounds takes 1 second even on slow computers.