I have to do a security audit in Solaris production servers; in which one of audit read like this:
"Check for dormant and unauthorized accounts. Review the accounts in /etc/passwd files. Review, investigate, and results documented for any accounts that have had no logins for the past 90 days or accounts still present from terminated employees".
My queries are as follows:
1) How can I check whether a particular account is active and how can I find the last time the user logged in?
2) How can I ensure whether an account is a normal one or it has some administrative previlage?
3) I have an entry like this in passwd file "zzzzzz:x:60002:60002:special crontab account:/:/dev/null". What it represents? How can i ensure that this account is harmless?