Guardium Big Data Intelligence Integrity Hashes and the Guardium Big Data Intelligence Integrity Service

To ensure that the data in Guardium Big Data Intelligence was not modified over time, every time a block of documents has been accumulated, sonar generates a checksum and stores that checksum in the admin database, in a collection called “system.signatures”.

By default this feature is off, to turn it on add the following line to /etc/sonar/sonard.conf:


Integrity signatures are maintained in the admin database (to which no users have access to) in the system.signatures collection. Additionally, if you are subscribed to the Guardium Big Data Intelligence Integrity Service you may turn on the engine on the SAGE screen.

Turning on the engine will send any new signatures incrementally to Guardium Big Data Intelligence and maintain them in a special vaulted service. You can then make a request to validate that these signatures are the same as the signatures that are in your system. All communications occur with an encrypted email attachment in addition to the fact that the data itself is not sensitive; each integrity record only holds a UUID and a hash value, for example:

  "_id" : ObjectId("594b04c241774b2200000581"),
  "namespace" : "sonargd.instance",
  "collection_uuid" : "bbd2f4fe-e8b7-4973-99dd-b77e4c217e58",
  "block_uuid" : "1ef37633-5b74-48f7-9f75-07614924c4d2",
  "block_signature" : "10cbaf7d1f68bb444b7589e9e2ab186bbee65e7da5e4f507a448f4cdba4ce95b",
  "block_id" : NumberLong(13801973),
  "block_part" : 1558

To build the signatures for an existing collection in the mongo shell, run:

use <database_name>
db.runCommand({"build_block_signatures":"<collection name>" })

To check the integrity of a given collection in the mongo shell, run:

use <database_name>
db.runCommand({"integrity_check":"<collection name>",  report_file: "filename" })

The file given in the parameter report_file will contain a report of the result of the integrity check. The file will reside in SONAR_HOME/log directory.

The report is written to a file as a json document with the following structure:

  'namespace': <collection namespace|string>,
  'blocks': [
      'part': <part number|int>,
      'block_id': <block’s first doc relative to part|long>.
      'checked': <if we could check this block|boolean>,
      'result': <success or error message|string>

Note: Only the user “sonarw” has permissions to read the report file.