Due to the recent SQL injection attacks on our firewalls, we are taking the precaution of changing all of our local passwords. We don't have a whole lot on there, but the trouble is they are mixed in with AD users. There are over 900 users on our main firewall. According to KB 135419 - yes I can go into each user and look at a field. With any large amount of users this is totally impractical. It looks like all the users that came over from AD have the domain appended to the end of the username. I've sorted those out with the filter for now, but this doesn't necessarily mean they are AD accounts. They could still be local.
How can I filter on only my local accounts?
Apologies for the inconvenience caused. I would request you to Open a Support Case for further investigation.
Please PM me the support case number.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
I'm not 100% sure, but as far s I see local users have the "authserverid" value set to "1" in the datebase.
so you could grep them from the advanced shell with:
psql -U nobody -d corporate -c "select * from tbluser where authserverid=1"
as far as i understand AD/tacacs/ldap users have the value set to "3", but it could also refer to the 3rd (or 2nd) auth server...
cish method for listing and changing local users: https://community.sophos.com/kb/en-us/135493
I'm not seeing the expected user modification result outlined there yet on our xg's on current sfos 17 + 18. It reports"PIN is set for 0 user(s), failed for 0 user(s)" after the command is run even though it does show the users. Opened a support case for that and maybe others will have different results.