Check Object Integrity (CHKOBJITG)

Where allowed to run: All environments (*ALL)
Threadsafe: No
Parameters
Examples
Error messages

The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:

If an integrity violation has occurred, the object name, library name (or pathname), object type, object owner, and type of failure are logged to a database file.

The type of violations that can occur are:

Also logged to the database file, but not integrity violations, are objects that do not have a digital signature but can be signed, objects that could not be checked, and objects whose format requires changes to be used on this machine implementation (IMPI to RISC conversion).

The type of violations that can occur are:

Note: Objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked.

Note: IBM commands duplicated from a release prior to V5R2 will be logged as ALTERED violations. These commands should be deleted and re-created using the CRTDUPOBJ (Create Duplicate Object) command each time a new release is loaded.

Restrictions:

Note: The CHKOBJITG command may run a long time if:

Top

Parameters

Keyword Description Choices Notes
USRPRF User profile, or Generic name, name, *ALL Optional, Positional 1
OBJ Object Path name, *SYSTEM Optional
OUTFILE File to receive output Qualified object name Optional, Positional 2
Qualifier 1: File to receive output Name
Qualifier 2: Library Name, *LIBL, *CURLIB
OUTMBR Output member options Element list Optional
Element 1: Member to receive output Name, *FIRST
Element 2: Replace or add records *REPLACE, *ADD
CHKDMN Check domain *YES, *NO Optional
CHKPGMMOD Check program and module *YES, *NO Optional
CHKCMD Check command *YES, *NO Optional
CHKSIG Check signature *SIGNED, *ALL, *NONE Optional
CHKLIB Check library *YES, *NO Optional
SCANFS Scan file systems *STATUS, *YES, *NO Optional
SUBTREE Directory subtree *NONE, *ALL Optional
Top

User profile (USRPRF)

Specifies the user profiles for which owned objects will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*ALL
Objects owned by all user profiles on the system are to be checked.
generic-name
Specify the generic names of the user profiles whose owned objects are to be checked.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name
Specify the name of the user profile whose owned objects are to be checked.
Top

Object (OBJ)

Specifies the objects that will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*SYSTEM
All objects in all available auxiliary storage pools (ASPs) are to be checked.

Note: When *SYSTEM is specified, the only value allowed for the CHKSIG parameter is *ALL.

path-name
Specify the path name of the objects that are to be checked.

The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A pattern can be specified in the last part of the path name. An asterisk (*) matches any number of characters and a question mark (?) matches a single character. If the path name is qualified or contains a pattern, it must be enclosed in apostrophes.

Top

File to receive output (OUTFILE)

Specifies the database file to which the output of the command is directed. If the file does not exist, this command creates a database file in the specified library. If the file is created, the public authority for the file is the same as the create authority specified for the library in which the file is created. Use the Display Library Description (DSPLIBD) command to show the library's create authority.

Qualifier 1: File to receive output

name
Specify the name of the database file to which the command output is directed.

Qualifier 2: Library

*LIBL
The library list is used to locate the file. If the file is not found, one is created in the current library. If no current library exists, the file will be created in the QGPL library.
*CURLIB
The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.
name
Specify the name of the library to be searched.

Note: If a new file is created, system file QASYCHKI in system library QSYS with a format name of QASYCHKI is used as a model.

Top

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command.

Element 1: Member to receive output

*FIRST
The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the member does not exist, the system creates a member with the name of the file specified for the File to receive output (OUTFILE) parameter. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.
name
Specify the name of the file member that receives the output. If it does not exist, the system creates it.

Element 2: Replace or add records

*REPLACE
The system clears the existing member and adds the new records.
*ADD
The system adds the new records to the end of the existing records.
Top

Check domain (CHKDMN)

Specifies whether or not to check object domain integrity.

*YES
Object domain integrity is to be checked.

Note: The following objects are valid in user domain so they are not checked:

  • QTEMP library
  • all objects of type *PGM
  • all objects of type *SQLPKG
  • all objects of type *SRVPGM

The following object types are valid in user domain only if the library they are in is specified in system value QALWUSRDMN (or if QALUSRDMN is *ALL).

  • *USRSPC
  • *USRQ
  • *USRIDX
*NO
Object domain integrity is not to be checked.
Top

Check program and module (CHKPGMMOD)

Specifies whether or not the integrity of program and module objects will be checked.

*YES
Program and module integrity is to be checked.
*NO
Program and module integrity is not to be checked.
Top

Check command (CHKCMD)

Specifies whether or not the integrity of commands will be checked.

*YES
Command integrity is to be checked.
*NO
Command integrity is not to be checked.
Top

Check signature (CHKSIG)

Specifies whether or not the digital signatures of objects that can be signed will be checked.

*SIGNED
Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.
*ALL
All objects that can be digitally signed are checked. Any object that can be signed but has no signature will be logged. Any object with a signature that is not valid will be logged.
*NONE
Digital signatures will not be checked.
Top

Check library (CHKLIB)

Specifies whether or not the integrity of library attributes will be checked.

*YES
Library attribute integrity is to be checked.
*NO
Library attribute integrity is not to be checked.
Top

Scan file systems (SCANFS)

Specifies whether objects in the integrated file systems identified by the QSCANFS system value should be scanned or if existing scan status should be returned.

The integrated file system scan-related exit points are:

For details on these exit points, see the System API Reference information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.

*STATUS
Objects will not be scanned, but if an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation will be logged.
*YES
Objects will be scanned according to the rules described in the scan-related exit programs. If an object fails the scan operation, a SCANFSFAIL integrity violation will be logged.
*NO
Objects will not be scanned and their scan failure status will not be logged.
Top

Directory subtree (SUBTREE)

Specifies whether or not to check the objects within the subtree if the object specified by the Object (OBJ) parameter is a directory.

*NONE
The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked, but the directory contents will not be checked.
*ALL
The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked as well as its contents and the contents of all subdirectories.

Note: Pattern matching from the OBJ parameter only applies to the first level objects. If the first level object is a directory, the pattern matching does not apply to its contents or the contents of its subdirectories.

Top

Examples

Example 1: Check Objects Owned by One User Profile

CHKOBJITG   USRPRF(JOEPGMR)  OUTFILE(SECCHECK)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*YES)  CHKLIB(*YES)

This command checks all objects owned by user JOEPGMR for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, objects with digital signatures that are not valid, and libraries whose attributes have been tampered with will cause integrity violation records to be logged in database file SECCHECK. Database file SECCHECK is first cleared of any existing records.

Example 2: Check Objects Owned by Multiple User Profiles

CHKOBJITG   USRPRF(ABC*)  OUTFILE(ABCCHECK)
            OUTMBR(*FIRST *REPLACE)  CHKDMN(*YES)
            CHKPGMMOD(*YES)  CHKSIG(*NONE)  CHKLIB(*YES)

This command checks all objects owned by user profiles that start with ABC for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and libraries whose attributes have been tampered with will cause integrity violation records to be logged to database file ABCCHECK. Database file ABCCHECK will first be cleared of any existing records.

Example 3: Check Objects in One Library

CHKOBJITG   OBJ('/QSYS.LIB/LIB2.LIB/ABC*.*)  OUTFILE(SECCHECK2)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks objects in library LIB2 that have names beginning with ABC that are of any object type for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and objects with not valid or missing digital signatures will cause integrity violation records to be logged to database file SECCHECK2. Database file SECCHECK2 will first be cleared of any existing records.

Example 4: Check Object in a Directory

CHKOBJITG   OBJ('/PartOrder/Forms.jar')  OUTFILE(SECCHECK3)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*NO)  CHKPGMMOD(*NO)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks file Forms.jar in directory PartOrder for integrity violations. If the file has a digital signature that is not valid or is capable of being signed and has no signature, an integrity violation record will be logged to database file SECCHECK3. Database file SECCHECK3 will first be cleared of any existing records.

Note: Any Java programs associated with this stream file will be checked for valid signatures as well.

Example 5: Check Object in a Directory

CHKOBJITG   OBJ('/Parts/*')  OUTFILE(SECCHECK4)
            CHKDMN(*NO)  CHKPGMMOD(*NO)  CHKSIG(*NONE)
            CHKLIB(*NO) SCANFS(*YES)

This command scans all files in directory Parts for integrity violations. If a file fails the scan by the scan-related exit program, an integrity violation record will be logged to database file SECCHECK4.

Top

Error messages

*ESCAPE Messages

CPF22D9
No user profiles of specified name exist.
CPF22F0
Unexpected errors occurred during processing.
CPF2204
User profile &1 not found.
CPF2213
Not able to allocate user profile &1.
CPF222E
&1 special authority is required.
CPF222F
Command not run.
CPF9860
Error occurred during output file processing.
Top