Check Object Integrity (CHKOBJITG)

The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:

• a command has been tampered with.
• an object has a digital signature that is not valid.
• an object has an incorrect domain attribute for its object type.
• a program or module object has been tampered with.
• a library's attributes have been tampered with.
• an object failed a file system scan.

If an integrity violation has occurred, the object name, library name (or pathname), object type, object owner, and type of failure are logged to a database file.

The type of violations that can occur are:

• ALTERED - The object has been tampered with.
• BADSIG - The object has a digital signature that is not valid.
• DMN - The domain is not correct for the object type.
• PGMMOD - The runnable object has been tampered with.
• BADLIBUPDA - The library protection attribute is set incorrectly.
• SCANFSFAIL - The object has been scanned by a scan-related exit program, and at the time of that last scan request, the object failed the scan.

If a violation is logged for a Licensed Internal Code module, the object name will be the 8 character RU name where RU name is the replaceable unit name of the Licensed Internal Code module, the library name will be blank, and the object type will be *LIC. If a violation of this type is encountered, contact your service representative to recover.

Also logged to the database file, but not integrity violations, are objects that do not have a digital signature but can be signed, objects that could not be checked, and objects whose format requires changes to be used on this machine implementation.

The type of violations that can occur are:

• NOSIG - The object can be signed but does not have a digital signature.
• NOTCHECKED - The object cannot be checked, it is in debug mode, saved with storage freed, or compressed.
• NOTTRANS - The object has not been converted to the current format or is not compatible with the current version, release, and modification level.

Note: Objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked.

Note: IBM commands duplicated from a release prior to V5R2 will be logged as ALTERED violations. These commands should be deleted and re-created using the CRTDUPOBJ (Create Duplicate Object) command each time a new release is loaded.

Restrictions:

• To check object integrity, you must have audit (*AUDIT) special authority.

Note: The CHKOBJITG command may run a long time if:

• the user profile specified for the USRPRF parameter owns many objects.
• *ALL is specified for the USRPRF parameter.
• *SYSTEM is specified for the OBJ parameter.
• many objects match the path name pattern specified for the OBJ parameter.

Parameters

User profile (USRPRF)

Specifies the user profiles for which owned objects will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*ALL

Objects owned by all user profiles on the system are to be checked.

generic-name

Specify the generic names of the user profiles whose owned objects are to be checked.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name

Specify the name of the user profile whose owned objects are to be checked.

Object (OBJ)

Specifies the objects that will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

Note: This parameter is Unicode-enabled. See "Unicode support in CL" in the CL topic collection in the Programming category in the IBM i Information Center at http://www.ibm.com/systems/i/infocenter/ for additional information.

*SYSTEM

All objects in all available auxiliary storage pools (ASPs) are to be checked.

Note: When *SYSTEM is specified, the only value allowed for the CHKSIG parameter is *ALL.

path-name

Specify the path name of the objects that are to be checked.

The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A pattern can be specified in the last part of the path name. An asterisk (*) matches any number of characters and a question mark (?) matches a single character. If the path name is qualified or contains a pattern, it must be enclosed in apostrophes.

File to receive output (OUTFILE)

Specifies the database file to which the output of the command is directed. If the file does not exist, this command creates a database file in the specified library. If the file is created, the public authority for the file is the same as the create authority specified for the library in which the file is created. Use the Display Library Description (DSPLIBD) command to show the library's create authority.

Qualifier 1: File to receive output

name

Specify the name of the database file to which the command output is directed.

Qualifier 2: Library

*LIBL

The library list is used to locate the file. If the file is not found, one is created in the current library. If no current library exists, the file will be created in the QGPL library.

*CURLIB

The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.

name

Specify the name of the library to be searched.

Note: If a new file is created, system file QASYCHKI in system library QSYS with a format name of QASYCHKI is used as a model.

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command.

Element 1: Member to receive output

*FIRST

The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the member does not exist, the system creates a member with the name of the file specified for the File to receive output (OUTFILE) parameter. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.

name

Specify the name of the file member that receives the output. If it does not exist, the system creates it.

Element 2: Replace or add records

*REPLACE

The system clears the existing member and adds the new records.

*ADD

The system adds the new records to the end of the existing records.

Check domain (CHKDMN)

Specifies whether or not to check object domain integrity.

*YES

Object domain integrity is to be checked.

Note: The following objects are valid in user domain so they are not checked:

• QTEMP library
• all objects of type *PGM
• all objects of type *SQLPKG
• all objects of type *SRVPGM

The following object types are valid in user domain only if the library they are in is specified in system value QALWUSRDMN (or if QALUSRDMN is *ALL).

• *USRSPC
• *USRQ
• *USRIDX

*NO

Object domain integrity is not to be checked.

Check program and module (CHKPGMMOD)

Specifies whether or not the integrity of program and module objects will be checked.

*YES

Program and module integrity is to be checked.

*NO

Program and module integrity is not to be checked.

Check command (CHKCMD)

Specifies whether or not the integrity of commands will be checked.

*YES

Command integrity is to be checked.

*NO

Command integrity is not to be checked.

Check signature (CHKSIG)

Specifies whether or not the digital signatures of objects that can be signed will be checked.

*SIGNED

Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.

*ALL

All objects that can be digitally signed are checked. Any object that can be signed but has no signature will be logged. Any object with a signature that is not valid will be logged.

*NONE

Digital signatures will not be checked.

Check library (CHKLIB)

Specifies whether or not the integrity of library attributes will be checked.

*YES

Library attribute integrity is to be checked.

*NO

Library attribute integrity is not to be checked.

Scan file systems (SCANFS)

Specifies whether objects in the integrated file systems identified by the QSCANFS system value should be scanned or if existing scan status should be returned.

The integrated file system scan-related exit points are:

• QIBM_QP0L_SCAN_OPEN - Integrated File System Scan on Open Exit Program
• QIBM_QP0L_SCAN_CLOSE - Integrated File System Scan on Close Exit Program

For details on these exit points, see the APIs topic collection in the Programming category in the IBM i Information Center at http://www.ibm.com/systems/i/infocenter/.

*STATUS

Objects will not be scanned, but if an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation will be logged.

*YES

Objects will be scanned according to the rules described in the scan-related exit programs. If an object fails the scan operation, a SCANFSFAIL integrity violation will be logged.

*NO

Objects will not be scanned and their scan failure status will not be logged.

Directory subtree (SUBTREE)

Specifies whether or not to check the objects within the subtree if the object specified by the Object (OBJ) parameter is a directory.

*NONE

The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked, but the directory contents will not be checked.

*ALL

The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked as well as its contents and the contents of all subdirectories.

Note: Pattern matching from the OBJ parameter only applies to the first level objects. If the first level object is a directory, the pattern matching does not apply to its contents or the contents of its subdirectories.

Once the command has begun processing a specific directory subtree, the objects which will be found and processed may be affected by operations that update the organization of objects within the specified directory tree. This includes, but is not limited to, the following:

• Adding, removing, or renaming object links
• Mounting or unmounting file systems
• Updating the effective root directory for the process calling the command
• Updating the contents of a symbolic link

In order to process the directory subtree, the system code may increase the process-scoped maximum number of file descriptors that can be opened during processing. This is done so that the command is not likely to fail due to a lack of descriptors. This process-scoped maximum value is not reset when the command completes.

Check Licensed Internal Code (CHKLIC)

Specifies whether or not to check the integrity of the Licensed Internal Code.

Note: This parameter can only be specified when *SYSTEM is specified for the Object (OBJ) parameter and *ALL is specified for the Check signature (CHKSIG) parameter.

*YES

Licensed Internal Code digital signatures are checked in addition to the checks that are performed when *SYSTEM is specified for the Object (OBJ) parameter.

*NO

Licensed Internal Code digital signatures are not checked. The checks that are performed when *SYSTEM is specified for the Object (OBJ) parameter will still be performed.

*ONLY

Only Licensed Internal Code digital signatures are checked. The checks that are performed when *SYSTEM is specified for the Object (OBJ) parameter will not be performed.

Examples

Example 1: Check Objects Owned by One User Profile

CHKOBJITG   USRPRF(JOEPGMR)  OUTFILE(SECCHECK)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*YES)  CHKLIB(*YES)

This command checks all objects owned by user JOEPGMR for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, objects with digital signatures that are not valid, and libraries whose attributes have been tampered with will cause integrity violation records to be logged in database file SECCHECK. Database file SECCHECK is first cleared of any existing records.

Example 2: Check Objects Owned by Multiple User Profiles

CHKOBJITG   USRPRF(ABC*)  OUTFILE(ABCCHECK)
            OUTMBR(*FIRST *REPLACE)  CHKDMN(*YES)
            CHKPGMMOD(*YES)  CHKSIG(*NONE)  CHKLIB(*YES)

This command checks all objects owned by user profiles that start with ABC for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and libraries whose attributes have been tampered with will cause integrity violation records to be logged to database file ABCCHECK. Database file ABCCHECK will first be cleared of any existing records.

Example 3: Check Objects in One Library

CHKOBJITG   OBJ('/QSYS.LIB/LIB2.LIB/ABC*.*)  OUTFILE(SECCHECK2)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks objects in library LIB2 that have names beginning with ABC that are of any object type for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and objects with not valid or missing digital signatures will cause integrity violation records to be logged to database file SECCHECK2. Database file SECCHECK2 will first be cleared of any existing records.

Example 4: Check Object in a Directory

CHKOBJITG   OBJ('/PartOrder/Forms.jar')  OUTFILE(SECCHECK3)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*NO)  CHKPGMMOD(*NO)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks file Forms.jar in directory PartOrder for integrity violations. If the file has a digital signature that is not valid or is capable of being signed and has no signature, an integrity violation record will be logged to database file SECCHECK3. Database file SECCHECK3 will first be cleared of any existing records.

Note: Any Java programs associated with this stream file will be checked for valid signatures as well.

Example 5: Scan Files

CHKOBJITG   OBJ('/Parts/*')  OUTFILE(SECCHECK4)
            CHKDMN(*NO)  CHKPGMMOD(*NO)  CHKSIG(*NONE)
            CHKLIB(*NO) SCANFS(*YES)

This command scans all files in directory Parts for integrity violations. If a file fails the scan by the scan-related exit program, an integrity violation record will be logged to database file SECCHECK4.

Example 6: Check Licensed Internal Code

CHKOBJITG   OBJ(*SYSTEM)  OUTFILE(SECCHECK5)
            CHKDMN(*NO)  CHKPGMMOD(*NO)  CHKSIG(*ALL)
            CHKLIB(*NO) SCANFS(*NO) CHKLIC(*ONLY)

This command will check the Licensed Internal Code for integrity violations. If any of the Licensed Internal Code has a digital signature that is not valid, or does not have a signature, an integrity violation record will be logged to database file SECCHECK5.

Error messages

*ESCAPE Messages

CPFA0AA

Error occurred while attempting to obtain space.

CPFA0A9

Object not found. Object is &1.

CPFA093

Name matching pattern not found.

CPF22D9

No user profiles of specified name exist.

CPF22F0

Unexpected errors occurred during processing.

CPF2204

User profile &1 not found.

CPF2213

Not able to allocate user profile &1.

CPF222E

&1 special authority is required.

CPF222F

Command not run.

CPF4AAC

User profile &2 not processed.

CPF4ABD

Licensed Internal Code not checked.

CPF9860

Error occurred during output file processing.