Check Object Integrity (CHKOBJITG)

The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:

a command has been tampered with.
an object has a digital signature that is not valid.
an object has an incorrect domain attribute for its object type.
a program or module object has been tampered with.
a library's attributes have been tampered with.
an object failed a file system scan

If an integrity violation has occurred, the object name, library name (or pathname), object type, object owner, and type of failure are logged to a database file.

The type of violations that can occur are:

ALTERED - The object has been tampered with.
BADSIG - The object has a digital signature that is not valid.
DMN - The domain is not correct for the object type.
PGMMOD - The runnable object has been tampered with.
BADLIBUPDA - The library protection attribute is set incorrectly.
SCANFSFAIL - The object has been scanned by a scan-related exit program, and at the time of that last scan request, the object failed the scan.

Also logged to the database file, but not integrity violations, are objects that do not have a digital signature but can be signed, objects that could not be checked, and objects whose format requires changes to be used on this machine implementation (IMPI to RISC conversion).

The type of violations that can occur are:

NOSIG - The object can be signed but does not have a digital signature.
NOTCHECKED - The object cannot be checked, it is in debug mode, saved with storage freed, or compressed.
NOTTRANS - The object has not been converted to RISC format.

Note: Objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked.

Note: IBM commands duplicated from a release prior to V5R2 will be logged as ALTERED violations. These commands should be deleted and re-created using the CRTDUPOBJ (Create Duplicate Object) command each time a new release is loaded.

Restrictions:

To check object integrity, you must have audit (*AUDIT) special authority.

Note: The CHKOBJITG command may run a long time if:

the user profile specified for the USRPRF parameter owns many objects.
*ALL is specified for the USRPRF parameter.
*SYSTEM is specified for the OBJ parameter.
many objects match the path name pattern specified for the OBJ parameter.

Parameters

Keyword	Description	Choices	Notes
USRPRF	User profile, or	Generic name, name, *ALL	Optional, Positional 1
OBJ	Object	Path name, *SYSTEM	Optional
OUTFILE	File to receive output	Qualified object name	Optional, Positional 2
	Qualifier 1: File to receive output	Name
	Qualifier 2: Library	Name, LIBL, CURLIB
OUTMBR	Output member options	Element list	Optional
	Element 1: Member to receive output	Name, *FIRST
	Element 2: Replace or add records	REPLACE, ADD
CHKDMN	Check domain	YES, NO	Optional
CHKPGMMOD	Check program and module	YES, NO	Optional
CHKCMD	Check command	YES, NO	Optional
CHKSIG	Check signature	SIGNED, ALL, *NONE	Optional
CHKLIB	Check library	YES, NO	Optional
SCANFS	Scan file systems	STATUS, YES, *NO	Optional
SUBTREE	Directory subtree	NONE, ALL	Optional

Top

User profile (USRPRF)

Specifies the user profiles for which owned objects will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*ALL: Objects owned by all user profiles on the system are to be checked.
generic-name: Specify the generic names of the user profiles whose owned objects are to be checked.
A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.
name: Specify the name of the user profile whose owned objects are to be checked.

Object (OBJ)

Specifies the objects that will be checked for integrity violations.

Note: A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.

*SYSTEM: All objects in all available auxiliary storage pools (ASPs) are to be checked.
Note: When *SYSTEM is specified, the only value allowed for the CHKSIG parameter is *ALL.
path-name: Specify the path name of the objects that are to be checked.
The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A pattern can be specified in the last part of the path name. An asterisk (*) matches any number of characters and a question mark (?) matches a single character. If the path name is qualified or contains a pattern, it must be enclosed in apostrophes.

File to receive output (OUTFILE)

Specifies the database file to which the output of the command is directed. If the file does not exist, this command creates a database file in the specified library. If the file is created, the public authority for the file is the same as the create authority specified for the library in which the file is created. Use the Display Library Description (DSPLIBD) command to show the library's create authority.

Qualifier 1: File to receive output

name: Specify the name of the database file to which the command output is directed.

Qualifier 2: Library

*LIBL: The library list is used to locate the file. If the file is not found, one is created in the current library. If no current library exists, the file will be created in the QGPL library.
*CURLIB: The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.

name: Specify the name of the library to be searched.

Note: If a new file is created, system file QASYCHKI in system library QSYS with a format name of QASYCHKI is used as a model.

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command.

Element 1: Member to receive output

*FIRST: The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the member does not exist, the system creates a member with the name of the file specified for the File to receive output (OUTFILE) parameter. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.

name: Specify the name of the file member that receives the output. If it does not exist, the system creates it.

Element 2: Replace or add records

*REPLACE: The system clears the existing member and adds the new records.

*ADD: The system adds the new records to the end of the existing records.

Check domain (CHKDMN)

Specifies whether or not to check object domain integrity.

*YES

Object domain integrity is to be checked.

Note: The following objects are valid in user domain so they are not checked:

QTEMP library
all objects of type *PGM
all objects of type *SQLPKG
all objects of type *SRVPGM

The following object types are valid in user domain only if the library they are in is specified in system value QALWUSRDMN (or if QALUSRDMN is *ALL).

*USRSPC
*USRQ
*USRIDX

*NO

Object domain integrity is not to be checked.

Check program and module (CHKPGMMOD)

Specifies whether or not the integrity of program and module objects will be checked.

*YES: Program and module integrity is to be checked.
*NO: Program and module integrity is not to be checked.

Check command (CHKCMD)

Specifies whether or not the integrity of commands will be checked.

*YES: Command integrity is to be checked.
*NO: Command integrity is not to be checked.

Check signature (CHKSIG)

Specifies whether or not the digital signatures of objects that can be signed will be checked.

*SIGNED: Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.
*ALL: All objects that can be digitally signed are checked. Any object that can be signed but has no signature will be logged. Any object with a signature that is not valid will be logged.
*NONE: Digital signatures will not be checked.

Check library (CHKLIB)

Specifies whether or not the integrity of library attributes will be checked.

*YES: Library attribute integrity is to be checked.
*NO: Library attribute integrity is not to be checked.

Scan file systems (SCANFS)

Specifies whether objects in the integrated file systems identified by the QSCANFS system value should be scanned or if existing scan status should be returned.

The integrated file system scan-related exit points are:

QIBM_QP0L_SCAN_OPEN - Integrated File System Scan on Open Exit Program
QIBM_QP0L_SCAN_CLOSE - Integrated File System Scan on Close Exit Program

For details on these exit points, see the System API Reference information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.

*STATUS: Objects will not be scanned, but if an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation will be logged.
*YES: Objects will be scanned according to the rules described in the scan-related exit programs. If an object fails the scan operation, a SCANFSFAIL integrity violation will be logged.
*NO: Objects will not be scanned and their scan failure status will not be logged.

Directory subtree (SUBTREE)

Specifies whether or not to check the objects within the subtree if the object specified by the Object (OBJ) parameter is a directory.

*NONE: The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked, but the directory contents will not be checked.
*ALL: The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked as well as its contents and the contents of all subdirectories.
Note: Pattern matching from the OBJ parameter only applies to the first level objects. If the first level object is a directory, the pattern matching does not apply to its contents or the contents of its subdirectories.

Examples

Example 1: Check Objects Owned by One User Profile

CHKOBJITG   USRPRF(JOEPGMR)  OUTFILE(SECCHECK)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*YES)  CHKLIB(*YES)

This command checks all objects owned by user JOEPGMR for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, objects with digital signatures that are not valid, and libraries whose attributes have been tampered with will cause integrity violation records to be logged in database file SECCHECK. Database file SECCHECK is first cleared of any existing records.

Example 2: Check Objects Owned by Multiple User Profiles

CHKOBJITG   USRPRF(ABC*)  OUTFILE(ABCCHECK)
            OUTMBR(*FIRST *REPLACE)  CHKDMN(*YES)
            CHKPGMMOD(*YES)  CHKSIG(*NONE)  CHKLIB(*YES)

This command checks all objects owned by user profiles that start with ABC for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and libraries whose attributes have been tampered with will cause integrity violation records to be logged to database file ABCCHECK. Database file ABCCHECK will first be cleared of any existing records.

Example 3: Check Objects in One Library

CHKOBJITG   OBJ('/QSYS.LIB/LIB2.LIB/ABC*.*)  OUTFILE(SECCHECK2)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*YES)  CHKPGMMOD(*YES)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks objects in library LIB2 that have names beginning with ABC that are of any object type for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and objects with not valid or missing digital signatures will cause integrity violation records to be logged to database file SECCHECK2. Database file SECCHECK2 will first be cleared of any existing records.

Example 4: Check Object in a Directory

CHKOBJITG   OBJ('/PartOrder/Forms.jar')  OUTFILE(SECCHECK3)
            OUTMBR(*FIRST *REPLACE)
            CHKDMN(*NO)  CHKPGMMOD(*NO)
            CHKSIG(*ALL)  CHKLIB(*NO)

This command checks file Forms.jar in directory PartOrder for integrity violations. If the file has a digital signature that is not valid or is capable of being signed and has no signature, an integrity violation record will be logged to database file SECCHECK3. Database file SECCHECK3 will first be cleared of any existing records.

Note: Any Java programs associated with this stream file will be checked for valid signatures as well.

Example 5: Check Object in a Directory

CHKOBJITG   OBJ('/Parts/*')  OUTFILE(SECCHECK4)
            CHKDMN(*NO)  CHKPGMMOD(*NO)  CHKSIG(*NONE)
            CHKLIB(*NO) SCANFS(*YES)

This command scans all files in directory Parts for integrity violations. If a file fails the scan by the scan-related exit program, an integrity violation record will be logged to database file SECCHECK4.

Error messages

*ESCAPE Messages

CPF22D9: No user profiles of specified name exist.
CPF22F0: Unexpected errors occurred during processing.
CPF2204: User profile &1 not found.
CPF2213: Not able to allocate user profile &1.
CPF222E: &1 special authority is required.
CPF222F: Command not run.
CPF9860: Error occurred during output file processing.