TAA Tools

The Check CPP Authority  command checks command objects in  one or more
libraries  that are  specified  as *PUBLIC  *EXCLUDE.   If  the Command
Processing  Program  (CPP)  is  not *PUBLIC  *EXCLUDE,  the  command is
flagged.  If your  intent is to prevent  access by the *PUBLIC user  to
a command,  the CPP should also  be considered for  *PUBLIC *EXCLUDE to
prevent the use of the CALL command to the CPP.

The  intent of CHKCPPAUT  is flag those situations  where your security
may not be as good as you think it is.

A typical command would be:

             CHKCPPAUT     LIB(xxx)

All  the  commands  in  the   named  library  that  have  an   *EXCLUDE
authorization would be checked to see if the CPP was also *EXCLUDE.

You must  have *ALLOBJ special authority  to use a LIB  value beginning
with  Q,  or   the  special  values  *LIBL,  *ALL,  *ALLUSR,  *ALLUSR2,

You  will  have  authorization  exceptions  if  you  specify  libraries
containing  objects that  you are  not  authorized to.    You can  omit
these libraries with the OMITLIB parameter.

If your  library request will cause the processing  of the Q libraries,
the   TAATOOL  library,  or  a   separate  library  containing  TAATOOL
commands (based  on a  TAATOOL install option),  you may  want to  omit
them with the OMITLIB parameter such as:


QSECURITY System Value and Object Domain

If your system  has a QSECURITY system value of Level  40 or above, the
system  provides  automatic  protection in  that  any  programs  in the
system domain cannot be called  using the CALL command.  This  includes
all programs  used as CPPs for  system commands.  Only  system programs
can exist  in the system domain.  Programs  created by commands such as
CRTCLPGM or CRTBNDRPG only exist in the  user domain.  You can see  the
domain of a program by using the TAA DSPOBJD2 command.

Objects controlled by an Authorization List

You may  secure a command  and/or its CPP  using the same  or different
Authorization  Lists   (*AUTL).    CHKCPPAUT  determines   that  if  an
Authorization  List exists and  the *PUBLIC authority  to the object is
*AUTL, that the authority comes from the Authorization List.

Commands which specify *LIBL or *CURLIB for the CPP

If a command  specifies a qualified library  name of *LIBL or  *CURLIB,
the library  list of  the user running  the CHKCPPAUT command  is used.
If  *LIBL  is used,  the first  program found  on  the library  list is
considered to be the CPP.

This may provide misleading information.

TAA Productivity Tool Exceptions

   CHGUSRPWD     The tool  requires  the user  to modify  programs  and
                 place them  in the TAASECURE  library.  Since  this is
                 a  secure library,  the function cannot  be used  by a
                 *PUBLIC user.

   SNDUSRBRK     The SNDUSRBRK  CPP  is intended  to  be run  in  a  CL
                 program.  This  allows a CL program to  determine that
                 the  user  needs  to  send  a  break  messages.    The
                 command  is *PUBLIC *EXCLUDE  and the program TAAMSHJC
                 is  *PUBLIC *USE.    The SNDUSRBRK2  command  requires
                 the   user  to   be   authorized   to  the   TAASNDBRK
                 Authorization  List.     It  uses  the  same  TAAMSHJC
                 program as the CPP.

                 The function  only sends  a break  message  to a  user
                 and is  not a significant  security concern.   Calling
                 the  CPP   directly  from  a  command  line  would  be
                 difficult  because  the  user  must  key  a  256  byte

   SBMJOB2       The  SBMJOB2   and  SBMJOB3  commands   use  different
                 defaults  than the  system  SBMJOB command.    The TAA
                 commands  use the SBMJOB  CPP in QSYS.   If you are at
                 Security Level 40 or  above, the CPP cannot be  called

CHKCPPAUT escape messages you can monitor for

      TAA9891    No libraries were found to process

      TAA9892    No commands were found to process

Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD

   LIB           The  list of  libraries to  be processed.   Up  to 300
                 libraries  may  be entered  (including  generic names)
                 or  the  special  values  *LIBL,  *USRLIBL,   *CURLIB,
                 *ALLUSR, *ALLUSR2, *ALLNONQ, *IBM, or *ALL.

                 For *LIBL and  *USRLIBL, if a current  library exists,
                 it  will  be considered  before the  libraries  on the
                 user portion  of the  library list.   If  the  current
                 library  is also  part  of  the  user portion  of  the
                 library list, it will only appear once.

                 *ALLUSR  means any  library  that was  not  created by
                 the system according to the CHKIBMLIB command.

                 *ALLUSR2  means  any library  that meets  the criteria
                 specified  for   the  SAVLIB  LIB(*ALLUSR)   function.
                 This  excludes   #  libraries  such   as  #SEULIB  and
                 includes  QUSRSYS, QGPL, etc.   See the  help text for
                 the SAVLIB LIB parameter  for a complete  description.

                 *ALLNONQ means  any library that  does not  begin with
                 the letter Q.

                 An entry  of *IBM causes all  libraries to be included
                 as per the definition of the CHKIBMLIB tool.

                 Product libraries  (those in  the product  portion  of
                 the library list) are never included.

                 You  must have  *ALLOBJ  special  authority to  use  a
                 value of  *ALL, *ALLUSR, *ALLUSR2,  *ALLNONQ, or *IBM.

   LIBTYPE       Whether  to select  all or  a specified  library type.
                 *ALL is the default to select all types.

                 *PROD may  be used  to select  only production  (PROD)

                 *TEST  may   be  used  to  select   only  test  (TEST)

   OMITLIB       A  list  of up  to  300 libraries  or  generic library
                 names that should be omitted.   *NONE is the  default.

                 An omit list may not be entered for LIB(*CURLIB).

                 Any library entered is checked for existence.

                 No check occurs  to see if an omit  library would have
                 been   selected.    For  example,   if  LIB(*LIBL)  is
                 entered with OMITLIB(ABC)  and library ABC  is not  on
                 the library list, no error occurs.


See previous comments.


The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKDUPLST       Check duplicate list
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVCMDA         Retrieve command attributes
     RTVOBJAUT       Retrieve object authority
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message


None, the tool is ready to use.

Objects used by the tool

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHKCPPAUT     *CMD                   TAASEFQ       QATTCMD
   TAASEFQC      *PGM       CLP         TAASEFQC      QATTCL
   TAASEFQC2     *PGM       CLP         TAASEFQC2     QATTCL
   TAASEFQR      *PGM       RPG         TAASEFQR      QATTRPG

Added to TAA Productivity tools July 15, 2003

Home Page Up to Top