Checking for objects that have been altered

An altered object is often an indication that someone is attempting to tamper with your system. You can use the Check Object Integrity (CHKOBJITG) command to check those objects that have been altered.

When you run the command, the system creates a database file containing information about any potential integrity problems. You can check objects owned by one or more profiles, objects that match a path name, or all objects on the system. You can look for objects whose domain have been altered and objects that have been tampered with. You can recalculate program validation values to look for objects of type *PGM, *SRVPGM, *MODULE, and *SQLPKG that have been altered. You can check the signature of objects that can be digitally signed. You can check if libraries and commands have been tampered with. You can also start an integrated file system scan or check if objects failed a previous integrated file system scan.

Running the CHKOBJITG command requires *AUDIT special authority. The command might take a long time to run because of the scans and calculations that it performs. You should run it at a time when your system is not busy. Most IBM commands duplicated from a release before V5R2 will be logged as violations. These commands should be deleted and re-created using the Create Duplicate Object (CRTDUPOBJ) command each time a new release is loaded.