Object Integrity Scanning
Powertech Antivirus for IBM i can detect potentially dangerous changes to the operating system, and for user programs that have the potential to cause serious harm to the operating system and bypass security. Powertech Antivirus for IBM i Object Integrity scanning can:
- Detect changes to IBM provided operating system objects
- Detect if libraries or commands have been tampered with
- Detect user programs that have been patched into fooling the operating system to allow it to bypass security and system integrity
- Optionally retranslate patched program, reinstating the operating system’s ability to enforce its security and object integrity protection with these programs
We recommend you run an object integrity scan:
- After someone has restored programs to your system
- After someone has used dedicated service tools (DST)
- After you install a product from a new ISV and at least periodically after updates from established ISVs
- Periodically to check if anyone has changed any system objects
Digital Signature Checking
Beginning in V5R1, IBM started signing the operating system as a way of officially marking objects as originating from IBM and as a means of detecting when unauthorized changes occur to system objects. A digital signature can be used to show proof of origin and detect tampering.
Figure 1 shows an example of digital signatures. There are tens of thousands of digital signatures on the system. A digital signature does not prevent an object from being modified or tampered with – but it can be used to determine if an object has been changed.
Figure 1 - IBM i Digital Signatures
Whenever an object is changed, the digital signature is invalidated. The object may continue to run, but not in a way that was intended by the signer (IBM, in this case). Powertech Antivirus for IBM i uses application program interfaces (APIs) provided by IBM to verify the signature of these objects that have been digitally signed.
Patched programs
A potentially, and very serious, security risk is user programs that have been patched to fool the operating system into allowing them to bypass all system security levels. Allowing system state programs provided by someone other than IBM represents a potential integrity risk to your system. At best these programs may be using interfaces or directly manipulating the internals of the objects that IBM is free to change at any time. The results of such a change could be a failed application, an unstable system, or even a damaged system that needs to be reinstalled. At worst, they could be rogue programs that are bypassing the auditing and integrity of your system to steal information or intentionally damage it.
Powertech Antivirus for IBM i can detect patched programs, and optionally retranslate them to remove the patch. Retranslating will in most cases cause the program to fail. We recommend running the object integrity scan with the translate option set to *NO, then review the output of the command to see what programs were detected. Contact the owner and/or administrator of the programs to obtain proper versions of the programs. If proper versions cannot be obtained, you can add the program(s) to an exclusions list. Exclude the program only when you trust the vendor/owner of the program at the expense of bypassing operating system integrity and security.
Setup
To setup object integrity scanning:
- On the Main Menu, choose option 50, Setup Menu.
- Choose option 5, Object Integrity Scan Tasks (or type AVCFGITGT at the command line).
- Press F9 to see all parameters. See Configure Integrity Scan Task (AVCFGITGT) for details.
- Configure parameters as needed and press Enter.