Figure 9 - Sample Tool Output (Tiger - error messages)


INFORMATIONAL ERROR MESSAGES

acc002i:
The listed login ID is disabled, but has a potentially valid shell. These can usually be safely ignored.


WARNINGS

acc001w:
The listed login ID is disabled in some manner ('*' in passwd field, etc), but the login shell for the login ID is a valid shell (from /etc/shells or the system equivalent). A valid shell can potentially enable the login ID to continue to be used. The login shell should be changed to something that doesn't exist, or to something like /bin/false.

acc003w:
The listed login ID is disabled in some manner ('*' in passwd field, etc), but the .forward file is setup to execute programs. This can allow the login ID to continue to be used despite the fact that it is disabled. The .forward file should be checked and probably removed.


ALERTS

acc007a:
The listed login ID has a '.hushlogin' file which is not zero-length. This file is normally a zero length file. This file is frequently used by intruders as a place to store captured passwords. This file should be looked at. If it appears to be such a log file, then the system should be regarded as being compromised. The system should be thoroughly checked and cleaned.

acc009a:
The login ID 'sync' has no password and the shell is not /bin/sync, which is what it normally is. This could indicate an intrusion has occurred. If the shell is one of the normal shells (/bin/sh, /bin/csh, etc), then this is very likely the situation. The login ID should be disabled, or the shell reset to '/bin/sync'.