SonarG Integrity Hashes and the SonarG Integrity Service

To ensure that the data in SonarG was not modified over time, every time a block of documents has been accumulated, sonar generates a checksum and stores that checksum in the admin database, in a collection called “system.signatures”.

By default this feature is off, to turn it on add the following line to /etc/sonar/sonard.conf:

integrity_checks=true

Integrity signatures are maintained in the admin database (to which no users have access to) in the system.signatures collection. Additionally, if you are subscribed to the SonarG Integrity Service you may turn on the engine on the SAGE screen.

Turning on the engine will send any new signatures incrementally to SonarG and maintain them in a special vaulted service. You can then make a request to validate that these signatures are the same as the signatures that are in your system. All communications occur with an encrypted email attachment in addition to the fact that the data itself is not sensitive; each integrity record only holds a UUID and a hash value, for example:

{
  "_id" : ObjectId("594b04c241774b2200000581"),
  "namespace" : "sonargd.instance",
  "collection_uuid" : "bbd2f4fe-e8b7-4973-99dd-b77e4c217e58",
  "block_uuid" : "1ef37633-5b74-48f7-9f75-07614924c4d2",
  "block_signature" : "10cbaf7d1f68bb444b7589e9e2ab186bbee65e7da5e4f507a448f4cdba4ce95b",
  "block_id" : NumberLong(13801973),
  "block_part" : 1558
}

To build the signatures for an existing collection in the mongo shell, run:

use <database_name>
db.runCommand({"build_block_signatures":"<collection name>" })

To check the integrity of a given collection in the mongo shell, run:

use <database_name>
db.runCommand({"integrity_check":"<collection name>",  report_file: "filename" })

The file given in the parameter report_file will contain a report of the result of the integrity check. The file will reside in SONAR_HOME/log directory.

The report is written to a file as a json document with the following structure:

{
  'namespace': <collection namespace|string>,
  'blocks': [
    {
      'part': <part number|int>,
      'block_id': <block’s first doc relative to part|long>.
      'checked': <if we could check this block|boolean>,
      'result': <success or error message|string>
    },
    ...
  ]
}

Note: Only the user “sonarw” has permissions to read the report file.