Use the command ps -U root -u root u --forest to locate processes and daemons that run with root privileges. If, for some reason, one of these daemons gets compromised, the attacker gains root privileges to execute command in your system.
Some entries listed by this command are programs that are active. This means that you should first exit most programs that you are running as root (such as aptitude in interactive mode).
Note that many of these daemons must run as root because they need privileged access to hardware and other system resources. As a result, it is best to stop some of these daemons if they are not useful. Bastille does a good job locating unnecessary daemons that run as root.