IBM Power Ideas Portal
This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
The CAAC has reviewed this Idea and recommends that IBM not implement this request. We agree with the IBM response about the impact this Idea would have on system security. However, the Comment that suggests a QTEMP folder should be submitted as a separate new Idea, though applications would need to be rewritten to use the support if it were provided.
Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual Ideas on the broader IBM i community, and has therefore reviewed your Idea.
For more information about CAAC, see www.common.org/caac
Nancy Uthke-Schmucki - CAAC Program Manager
What we need is a QTEMP like in the IFS, that will behave like QTEMP when we can specify *NOQTEMP in SysVal QAUDCTL
We do not wish to break anything, especially if it is in security.
One idea could be to create an IFS folder which carries the job name/job number/job internal ID. This folder will be accessible only from the same job.
A Scope message will delete it when job ends.
Alternatively, to be able to build a folder with an attribute that will regard that its auditing is not performed when *NOQTEMP is in SysVal QAUDCTL
Shmuel Zailer CEO & CTO
Thank you for submitting this Idea. This is actually a duplicate of IBMI-I-3037 which was declined earlier this year.
We do understand how auditing will create a large number of records in the audit journal for some operations. However, while it may seem like /tmp and QTEMP are the same, they are far from it.
The integrated file system does not have anything similar to the concept of the QTEMP library for each job.
Objects linked within the integrated file system are available to all jobs, provided users have the correct permissions for access. We (the integrated file system) must perform audit based on the system, user profile, and object configuration.
Any change to not audit the current /tmp and it's contents will negatively impact system security.
In fact, a change to not audit objects that are in a system-wide namespace would negatively impact system security.
Having said that, though, there have been many requests for some directory that is truely temporary, maybe on a 24-hour or 7-day cycle of cleanup rather than between IPLs which could be several months or longer.
Even that, though, could impact system security as those objects would still be accessible to everyone. But, we are considering it.
Changing this to Uncommitted Candidate. There is not anything in our current plans to do anything, nor is this a promise to make a change.
I agree also, because we have the problems that the journal receivers increase during the scans, and we have to keep the receivers 2 month.
We are the developers of iSecurity/Antivirus. During the process of checking a folder, if a .zip, .tar, .war etc. is detected, there is a need to open the archive and check each file separately. Naturally, this requires created files. Each created produces also some authority changes. After the check, a delete takes place.
All this is recorded in the QAUDJRN...
We are the developers of iSecurity/Antivirus. During the process of checking a folder, if a .zip, .tar, .war etc. is detected, there is a need to open the archive and check each file separately. Naturally, this requires created files. Each created produces also some authority changes. After the check, a delete takes place.
All this is recorded in the QAUDJRN...
We also came across applications that transfer data in temporary files. No one needs to trace these files creation and deletion.
I agree 100%. Why stop at /tmp. DB2 Web Query creates/deletes multitudes of objects. So many that I've disabled CO and DO auditing. When enabled, DB2 Web Query accounts for over 99% of the CO/DO entries in the audit journal.
IBM i Auditing needs to keep pace with how the system is actually used.