Integrity Control for QHB Version 1.5.3

Description of the Integrity Control Subsystem

The integrity control mechanism is implemented using the background process integrity_checker.

The background process checks executable modules and utilities for the integrity of the binary file. The background process also checks the integrity of the program code of the stored procedures of the DBMS itself.

The check consists of verifying the correctness of the checksums calculated while building of the DBMS installation package and after authorized changes.

QHB Integrity Control Objects

The objects are the supplied binary utilities and the program code of stored procedures, both built-in and added by the user during the DBMS operation.

For the integrity of binary utilities, the check is performed in accordance with the files located in /var/lib/qhb/data/integrity and having the .sha256 suffix.

Integrity Violation Detection Measures

If a discrepancy is detected between the checksums of the binary utilities and their configuration in the DBMS release, DBMS users who have the ability to login are blocked, with the exception of superusers and DBMS administrators (see Chapter Information Security Roles). Blocking is provided by the background DBMS process logon_jobs. Blocking is valid for authentication via the md5 and password methods.

If a mismatch of checksums of DB blocks storing the program code of stored procedures is detected, users are blocked in a similar way.

The ability to load foreign libraries (including QHB extensions) into the address space of the running DBMS is also blocked.

WARNING! If a discrepancy is detected between the checksums of binary utilities and/or the program code of stored procedures on a replica in asynchronous replication mode, the replica will crash.

CAUTION! After restoring the integrity of the directory, you should restart the DBMS to unlock the users and address space for changes.

CAUTION! Unlocking users is not automatic. To unlock all users, you must execute the command UPDATE qhb_user_lockout SET locked = false.

Enabling the Integrity Control Subsystem

To enable, you must specify the logon_jobs and integrity_checks parameters in the configuration file:

logon_jobs=on
integrity_checks=on

By default, these parameters are disabled.

You should also select the frequency of checks in time units. For example:

integrity_period=20s

Copyright © KVANTOM LLC, 2019-2026