Check Object Integrity (CHKOBJITG)

Where allowed to run: All environments (*ALL) Threadsafe: No

Parameters Examples Error messages

The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:

• a command has been tampered with.

• an object has a digital signature that is not valid.

• an object has an incorrect domain attribute for its object type.

• a program or module object has been tampered with.

• a library's attributes have been tampered with.

• an object failed a file system scan

If an integrity violation has occurred, the object name, library name (or pathname), object type, object owner, and type of failure are logged to a database file.

The type of violations that can occur are:

• ALTERED - The object has been tampered with.

• BADSIG - The object has a digital signature that is not valid.

• DMN - The domain is not correct for the object type.

• PGMMOD - The runnable object has been tampered with.

• BADLIBUPDA - The library protection attribute is set incorrectly.

• SCANFSFAIL - The object has been scanned by a scan-related exit program, and at the time of that last scan request, the object failed the scan.

Also logged to the database file, but not integrity violations, are objects that do not have a digital signature but can be signed, objects that could not be checked, and objects whose format requires changes to be used on this machine implementation (IMPI to RISC conversion).

The type of violations that can occur are:

• NOSIG - The object can be signed but does not have a digital signature.

• NOTCHECKED - The object cannot be checked, it is in debug mode, saved with storage freed, or compressed.

• NOTTRANS - The object has not been converted to RISC format.

Objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked.

IBM commands duplicated from a release prior to V5R2 will be logged as ALTERED violations. These commands should be deleted and re-created using the CRTDUPOBJ (Create Duplicate Object) command each time a new release is loaded.

Restrictions:

• To check object integrity, have audit (*AUDIT) special authority.

The CHKOBJITG command may run a long time if:

• the user profile specified for the USRPRF parameter owns many objects.

• *ALL is specified for the USRPRF parameter.

• *SYSTEM is specified for the OBJ parameter.

• many objects match the path name pattern specified for the OBJ parameter.

Top

---

 

Parameters

Keyword	Description	Choices	Notes
USRPRF	User profile, or	Generic name, name, *ALL	Optional, Positional 1
OBJ	Object	Path name, *SYSTEM	Optional
OUTFILE	File to receive output	Qualified object name	Optional, Positional 2
	Qualifier 1: File to receive output	Name
	Qualifier 2: Library	Name, *LIBL, *CURLIB
OUTMBR	Output member options	Element list	Optional
	Element 1: Member to receive output	Name, *FIRST
	Element 2: Replace or add records	*REPLACE, *ADD
CHKDMN	Check domain	*YES, *NO	Optional
CHKPGMMOD	Check program and module	*YES, *NO	Optional
CHKCMD	Check command	*YES, *NO	Optional
CHKSIG	Check signature	*SIGNED, *ALL, *NONE	Optional
CHKLIB	Check library	*YES, *NO	Optional
SCANFS	Scan file systems	*STATUS, *YES, *NO	Optional
SUBTREE	Directory subtree	*NONE, *ALL	Optional

Top

 

User profile (USRPRF)

Specifies the user profiles for which owned objects will be checked for integrity violations.

A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*ALL

Objects owned by all user profiles on the system are to be checked.

generic-name

Specify the generic names of the user profiles whose owned objects are to be checked.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name

Specify the name of the user profile whose owned objects are to be checked.

Top

 

Object (OBJ)

Specifies the objects that will be checked for integrity violations.

A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*SYSTEM

All objects in all available auxiliary storage pools (ASPs) are to be checked.

When *SYSTEM is specified, the only value allowed for the CHKSIG parameter is *ALL.

path-name

Specify the path name of the objects that are to be checked.

The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A pattern can be specified in the last part of the path name. An asterisk (*) matches any number of characters and a question mark (?) matches a single character. If the path name is qualified or contains a pattern, it must be enclosed in apostrophes.

Top

 

File to receive output (OUTFILE)

Specifies the database file to which the output of the command is directed. If the file does not exist, this command creates a database file in the specified library. If the file is created, the public authority for the file is the same as the create authority specified for the library in which the file is created. Use the Display Library Description (DSPLIBD) command to show the library's create authority.

Qualifier 1: File to receive output

name

Specify the name of the database file to which the command output is directed.

Qualifier 2: Library

*LIBL

The library list is used to locate the file. If the file is not found, one is created in the current library. If no current library exists, the file will be created in the QGPL library.

*CURLIB

The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.

name

Specify the name of the library to be searched.

If a new file is created, system file QASYCHKI in system library QSYS with a format name of QASYCHKI is used as a model.

Top

 

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command.

Element 1: Member to receive output

*FIRST

The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the member does not exist, the system creates a member with the name of the file specified for the File to receive output (OUTFILE) parameter. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.

name

Specify the name of the file member that receives the output. If it does not exist, the system creates it.

Element 2: Replace or add records

*REPLACE

The system clears the existing member and adds the new records.

*ADD

The system adds the new records to the end of the existing records.

Top

 

Check domain (CHKDMN)

Specifies whether or not to check object domain integrity.

*YES

Object domain integrity is to be checked.

The following objects are valid in user domain so they are not checked:

• QTEMP library

• all objects of type *PGM

• all objects of type *SQLPKG

• all objects of type *SRVPGM

The following object types are valid in user domain only if the library they are in is specified in system value QALWUSRDMN (or if QALUSRDMN is *ALL).

• *USRSPC

• *USRQ

• *USRIDX

*NO

Object domain integrity is not to be checked.

Top

 

Check program and module (CHKPGMMOD)

Specifies whether or not the integrity of program and module objects will be checked.

*YES

Program and module integrity is to be checked.

*NO

Program and module integrity is not to be checked.

Top

 

Check command (CHKCMD)

Specifies whether or not the integrity of commands will be checked.

*YES

Command integrity is to be checked.

*NO

Command integrity is not to be checked.

Top

 

Check signature (CHKSIG)

Specifies whether or not the digital signatures of objects that can be signed will be checked.

*SIGNED

Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.

*ALL

All objects that can be digitally signed are checked. Any object that can be signed but has no signature will be logged. Any object with a signature that is not valid will be logged.

*NONE

Digital signatures will not be checked.

Top

 

Check library (CHKLIB)

Specifies whether or not the integrity of library attributes will be checked.

*YES

Library attribute integrity is to be checked.

*NO

Library attribute integrity is not to be checked.

Top

 

Scan file systems (SCANFS)

Specifies whether objects in the integrated file systems identified by the QSCANFS system value should be scanned or if existing scan status should be returned.

The integrated file system scan-related exit points are:

• QIBM_QP0L_SCAN_OPEN - Integrated File System Scan on Open Exit Program

• QIBM_QP0L_SCAN_CLOSE - Integrated File System Scan on Close Exit Program

For details on these exit points, see the System API Reference information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.

*STATUS

Objects will not be scanned, but if an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation will be logged.

*YES

Objects will be scanned according to the rules described in the scan-related exit programs. If an object fails the scan operation, a SCANFSFAIL integrity violation will be logged.

*NO

Objects will not be scanned and their scan failure status will not be logged.

Top

 

Directory subtree (SUBTREE)

Specifies whether or not to check the objects within the subtree if the object specified by the Object (OBJ) parameter is a directory.

*NONE

The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked, but the directory contents will not be checked.

*ALL

The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked as well as its contents and the contents of all subdirectories.

Pattern matching from the OBJ parameter only applies to the first level objects. If the first level object is a directory, the pattern matching does not apply to its contents or the contents of its subdirectories.

Top

---

 

Examples

Example 1: Check Objects Owned by One User Profile

 CHKOBJITG   USRPRF(JOEPGMR)  OUTFILE(SECCHECK)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*YES)  CHKLIB(*YES)

This command checks all objects owned by user JOEPGMR for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, objects with digital signatures that are not valid, and libraries whose attributes have been tampered with will cause integrity violation records to be logged in database file SECCHECK. Database file SECCHECK is first cleared of any existing records.

Example 2: Check Objects Owned by Multiple User Profiles

 CHKOBJITG   USRPRF(ABC*)  OUTFILE(ABCCHECK)
            OUTMBR(*FIRST *REPLACE)  CHKDMN(*YES)
            CHKPGMMOD(*YES)  CHKSIG(*NONE)  CHKLIB(*YES)

This command checks all objects owned by user profiles that start with ABC for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and libraries whose attributes have been tampered with will cause integrity violation records to be logged to database file ABCCHECK. Database file ABCCHECK will first be cleared of any existing records.

Example 3: Check Objects in One Library

 CHKOBJITG   OBJ('/QSYS.LIB/LIB2.LIB/ABC*.*)  OUTFILE(SECCHECK2)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks objects in library LIB2 that have names beginning with ABC that are of any object type for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and objects with not valid or missing digital signatures will cause integrity violation records to be logged to database file SECCHECK2. Database file SECCHECK2 will first be cleared of any existing records.

Example 4: Check Object in a Directory

 CHKOBJITG   OBJ('/PartOrder/Forms.jar')  OUTFILE(SECCHECK3)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*NO)  CHKPGMMOD(*NO)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks file Forms.jar in directory PartOrder for integrity violations. If the file has a digital signature that is not valid or is capable of being signed and has no signature, an integrity violation record will be logged to database file SECCHECK3. Database file SECCHECK3 will first be cleared of any existing records.

Any Java programs associated with this stream file will be checked for valid signatures as well.

Example 5: Check Object in a Directory

 CHKOBJITG   OBJ('/Parts/*')  OUTFILE(SECCHECK4)
            CHKDMN(*NO)  CHKPGMMOD(*NO)  CHKSIG(*NONE)
            CHKLIB(*NO) SCANFS(*YES)

This command scans all files in directory Parts for integrity violations. If a file fails the scan by the scan-related exit program, an integrity violation record will be logged to database file SECCHECK4.

Top

---

 

Error messages

*ESCAPE Messages

CPF22D9

No user profiles of specified name exist.

CPF22F0

Unexpected errors occurred during processing.

CPF2204

User profile &1 not found.

CPF2213

Not able to allocate user profile &1.

CPF222E

&1 special authority is required.

CPF222F

Command not run.

CPF9860

Error occurred during output file processing.

Top