How Object Integrity Scanning Enhances IBM i Security

March 7, 2017
Object Integrity Scanning on IBM i


IBM i has had superior built-in security features from the beginning. However, as internetworking increases and open protocols and servers become the norm, additional protection is needed.

To provide that additional protection, programs and other objects can be associated with digital signatures so that you can feel confident that the objects came from where they were supposed to come from and that they were not modified while in transit.

The IBM i Check Object Integrity (CHKOBJITG) command checks objects owned by a specified user profile, objects that match a specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:

  • A command, program or module object has been tampered with (ALTERED)
  • An object has a digital signature that is not valid (BADSIG)
  • An object has an incorrect domain attribute for its object type (DMN)
  • A program or module object has been tampered with (PGMMOD)
  • A library's protection attributes have been tampered with (BADLIBUPDA)
  • An object failed a file system scan (SCANFSFAIL)

Logging Object Integrity Violations

If an integrity violation has occurred, the object name, library name (or path name), object type, object owner, and type of failure are logged to a database log file. The command also creates a log entry in certain other cases, although these cases are not integrity violations. For example, objects that do not have a digital signature but can be signed, and objects that could not be checked. These types of violations that can occur are:

  • An object can be signed but does not have a digital signature (NOSIG)
  • An object cannot be checked; it is in debug mode, saved with storage freed, or compressed (NOTCHECKED)

Checking for Digital Signatures

The CHKSIG parameter value controls how the command handles digital signatures on objects. You can specify one of three values for this parameter:

  • *SIGNED: When you specify this value, the command checks objects with digital signatures. The command creates a log entry for any object with a signature that is not valid. This is the default value.
  • *ALL: When you specify this value, the command checks all signable objects to determine whether they have a signature. The command creates a log entry for any signable object that does not have a signature and for any object with a signature that is not valid.
  • *NONE: When you specify this value, no digital signatures on objects will be checked.

There are some restrictions and requirements to use the CHKOBJITG command. For example, objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked, and to check object integrity, your user profile must have *AUDIT special authority.

Scan Object Integrity The Way You Scan for Viruses

This very powerful IBM-supplied command allows you to verify object integrity in much the same way that you use a virus checker to determine when a virus has corrupted IFS files on your system. If a user program were altered via Display/Alter (or other means) to run as a System State program, the CHKOBJITG command could identify that, much like a virus scan engine could identify an executable lurking in the IFS that has the ability to modify your Windows startup program. Both situations can seriously harm your system or bypass your security entirely. Both must be protected against. Unless you are scanning objects, you can’t know for sure if they have been changed.

Powertech Antivirus for IBM i will scan and detect changed objects, patched programs, and other unauthorized modifications, whether they are IBM-supplied objects residing in libraries or IFS objects vulnerable to common malware. Powertech Antivirus for IBM i is powered by McAfee’s scan engine to check the IFS, and it executes IBM’s CHKOBJITG command to check the library system.

This provides you with a complete, total solution for protecting yourself against unwanted changes. By having virus scanning, malware detection, and object integrity checking in one solution, you can utilize the same job scheduling tool, log archiving process, and method of escalation to your security team when something needs attention. It just makes sense to have it all in one place.

Get Started

Find out if undetected viruses lurk on your IBM i.

Stay up to date on what matters.