Built-in database protection

Sophos Enterprise Console and the SophosSecurity database provide several built-in types of protection for the audit data:

  • Access control
  • Tamper protection

Access control

Access control is implemented at the following levels:

  • Front-end graphical user interface (GUI) level

    Only users who have the Auditing right in Sophos Enterprise Console and are members of the Sophos Console Administrators group can enable or disable auditing.

  • Database level

    By default, only users who are members of the Sophos DB Admins group can access the database interfaces. In addition, the stored procedures from the database interfaces require a valid user session token to be presented. The token is generated by the system when a user opens the GUI or changes the sub-estate.

Tamper protection

The database is designed to prevent changes to the audit event data. There is no need to update any data in the auditing database, apart from certain configuration settings. There are triggers which would roll back any attempts to update or delete data from the tables.

The data can only be deleted by purging the database. Data that is more than two years old is purged automatically every 24 hours as part of the standard embedded scheduled purge task on the Sophos Enterprise Console server. You can also use the PurgeDB tool to purge the data, see knowledge base article 109884.