创建定制控制库
自 2025 年 6 月 16 日起,您不能在本产品的此版本中创建新实例。 Security and Compliance Center Workload Protection 的更新体验中提供了所有功能。 更多信息,请参阅 过渡文档。
通过 IBM Cloud® Security and Compliance Center,您可以创建特定于组织需求的定制控制库。 在映射先前创建的评估之前,定义控件和规范。
控件库是添加到 Security and Compliance Center的控件的分组。 该服务提供多个预定义库,旨在帮助满足特定用例的合规性。 每个控件都有多个映射到它的规范和评估。 规范是特定于组件的已定义需求。 当组织满足时,该规范有助于确保它们符合控制。 将一个或多个评估映射到每个规范,并执行详细评估以检查该规范是否合规。 有关更多信息,请参阅 关键概念。
准备工作
开始之前,请确保您具有创建和管理库所需的访问级别。 要管理库,您需要 Writer 服务角色或更高版本。
创建库
您可以使用 Security and Compliance Center UI 来创建定制库。
-
在 IBM Cloud 控制台中,转到 Resource list 页面并选择 Security and Compliance Center 实例。
-
在 Security and Compliance Center 的实例中,单击 Controls > Control libaries。
-
单击创建。 这样会打开一个侧面板。
-
提供库的名称,描述和版本。
-
单击创建。 您的库将在新页面中打开,但为空。
-
要开始添加控件,请单击 创建。
- 通过包含 名称,描述和 类别来提供控件的详细信息。
- 单击 添加 以开始向控件添加现有规范。
- 为您的规范提供 描述。
- 选择组件。
- 选择可帮助评估规范的现有评估,然后单击 创建。
如果未看到特定于用例的评估,那么可以创建规则。 创建规则时,该规则将显示在评估部分中。
- 完成向控件添加规范后,单击 创建。
- 重复这些步骤,直到添加所有控件为止。
使用应用程序接口创建程序库
您可以使用 Security and Compliance Center API 来创建定制库。
curl -X POST
--location --header "Authorization: Bearer {iam_token}"
--header "Accept: application/json"
--header "Content-Type: application/json"
--data '{
"id": "60351ac6-2dba-495e-9c98-057601069723",
"account_id": "cg3335893hh1428692d6747cf300yeb5",
"control_library_name": "IBM Cloud for Financial Services",
"control_library_description": "IBM Cloud for Financial Services",
"control_library_type": "predefined",
"version_group_label": "33fc7b80-0fa5-4f16-bbba-1f293f660f0d",
"control_library_version": "1.1.0",
"controls": [ { "control_name": "SC-7",
"control_id": "1fa45e17-9322-4e6c-bbd6-1c51db08e790",
"control_description": "Boundary Protection",
"control_category": "System and Communications Protection",
"control_parent": "", "control_requirement": false,
"control_tags": [
"1fa45e17-9322-4e6c-bbd6-1c51db08e790"
],
"control_specifications_count": 0,
"control_specifications": [
{
"control_specification_id": "5c7d6f88-a92f-4734-9b49-bd22b0900184",
"responsibility": "user",
"component_id": "iam-identity",
"component_name": "IAM Identity Service",
"environment": "ibm-cloud",
"control_specification_description": "IBM cloud",
"assessments_count": 0
}
],
"control_docs": {
"control_docs_id": "sc-7",
"control_docs_type": "ibm-cloud"
}
}
]
}'
"https://us-south.compliance.cloud.ibm.com/instances/{instance_id}/v3/control_libraries"
(securityAndComplianceCenterApi *SecurityAndComplianceCenterApiV3) CreateCustomControlLibrary(createCustomControlLibraryOptions *CreateCustomControlLibraryOptions) (result *ControlLibrary, response *core.DetailedResponse, err error)
ParameterInfo parameterInfoModel = new ParameterInfo.Builder()
.parameterName("session_invalidation_in_seconds")
.parameterDisplayName("Sign out due to inactivity in seconds")
.parameterType("numeric")
.build();
Implementation implementationModel = new Implementation.Builder()
.assessmentId("rrule-238a6025-2522-4d36-831b-a32f81f97304")
.assessmentMethod("ibm-cloud-rule")
.assessmentType("automated")
.assessmentDescription("Check whether authorized IP ranges are configured for the account")
.parameters(java.util.Arrays.asList(parameterInfoModel))
.build();
ControlSpecifications controlSpecificationsModel = new ControlSpecifications.Builder()
.controlSpecificationId("5c7d6f88-a92f-4734-9b49-bd22b0900184")
.componentId("iam-identity")
.componentName("IAM Identity Service")
.environment("ibm-cloud")
.controlSpecificationDescription("IBM cloud")
.assessments(java.util.Arrays.asList(implementationModel))
.build();
ControlDocs controlDocsModel = new ControlDocs.Builder()
.controlDocsId("sc-7")
.controlDocsType("ibm-cloud")
.build();
ControlsInControlLib controlsInControlLibModel = new ControlsInControlLib.Builder()
.controlName("SC-7")
.controlId("1fa45e17-9322-4e6c-bbd6-1c51db08e790")
.controlDescription("Boundary Protection")
.controlCategory("System and Communications Protection")
.controlTags(java.util.Arrays.asList("1fa45e17-9322-4e6c-bbd6-1c51db08e790"))
.controlSpecifications(java.util.Arrays.asList(controlSpecificationsModel))
.controlDocs(controlDocsModel)
.controlRequirement(true)
.build();
CreateCustomControlLibraryOptions createCustomControlLibraryOptions = new CreateCustomControlLibraryOptions.Builder()
.controlLibraryName("IBM Cloud for Financial Services")
.controlLibraryDescription("IBM Cloud for Financial Services")
.controlLibraryType("custom")
.controls(java.util.Arrays.asList(controlsInControlLibModel))
.versionGroupLabel("33fc7b80-0fa5-4f16-bbba-1f293f660f0d")
.controlLibraryVersion("1.0.0")
.build();
Response<ControlLibrary> response = securityAndComplianceCenterApiService.createCustomControlLibrary(createCustomControlLibraryOptions).execute();
ControlLibrary controlLibrary = response.getResult();
System.out.println(controlLibrary);
// Request models needed by this operation.
// ParameterInfo
const parameterInfoModel = {
parameter_name: 'session_invalidation_in_seconds',
parameter_display_name: 'Sign out due to inactivity in seconds',
parameter_type: 'numeric',
};
// Implementation
const implementationModel = {
assessment_id: 'rule-238a6025-2522-4d36-831b-a32f81f97304',
assessment_method: 'ibm-cloud-rule',
assessment_type: 'automated',
assessment_description: 'Check whether authorized IP ranges are configured for the account',
parameters: [parameterInfoModel],
};
// ControlSpecifications
const controlSpecificationsModel = {
control_specification_id: '5c7d6f88-a92f-4734-9b49-bd22b0900184',
component_id: 'iam-identity',
environment: 'ibm-cloud',
control_specification_description: 'IBM cloud',
assessments: [implementationModel],
};
// ControlDocs
const controlDocsModel = {
control_docs_id: 'sc-7',
control_docs_type: 'ibm-cloud',
};
// ControlsInControlLib
const controlsInControlLibModel = {
control_name: 'SC-7',
control_id: '1fa45e17-9322-4e6c-bbd6-1c51db08e790',
control_description: 'Boundary Protection',
control_category: 'System and Communications Protection',
control_parent: 'testString',
control_tags: ['1fa45e17-9322-4e6c-bbd6-1c51db08e790'],
control_specifications: [controlSpecificationsModel],
control_docs: controlDocsModel,
control_requirement: true,
};
const params = {
controlLibraryName: 'IBM Cloud for Financial Services',
controlLibraryDescription: 'IBM Cloud for Financial Services',
controlLibraryType: 'custom',
controls: [controlsInControlLibModel],
versionGroupLabel: '33fc7b80-0fa5-4f16-bbba-1f293f660f0d',
controlLibraryVersion: '1.0.0',
};
let res;
try {
res = await securityAndComplianceCenterApiService.createCustomControlLibrary(params);
console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
console.warn(err);
}
create_custom_control_library(
self,
control_library_name: str,
control_library_description: str,
control_library_type: str,
controls: List['ControlsInControlLib'],
*,
version_group_label: str = None,
control_library_version: str = None,
latest: bool = None,
controls_count: int = None,
x_correlation_id: str = None,
x_request_id: str = None,
**kwargs,
) -> DetailedResponse
成功响应将返回一个布尔值,用于确认 success 为 true。 有关必需和可选请求参数的更多信息,请查看 API 文档。
使用 CLI 创建程序库
您可以使用 Security and Compliance Center CLI 来创建定制库。 请参阅 CLI 参考 以获取更多信息。
ibmcloud security-compliance control-library create
--control-library-name='IBM Cloud for Financial Services'
--control-library-description='IBM Cloud for Financial Services'
--control-library-type=custom
--controls='[
{
"control_name": "SC-7",
"control_id": "1fa45e17-9322-4e6c-bbd6-1c51db08e790",
"control_description": "Boundary Protection",
"control_category": "System and Communications Protection",
"control_parent": "exampleString",
"control_tags": [
"1fa45e17-9322-4e6c-bbd6-1c51db08e790"
],
"control_specifications": [
{
"control_specification_id": "5c7d6f88-a92f-4734-9b49-bd22b0900184",
"responsibility": "user",
{
"component_id": "iam-identity",
"component_name": "IAM Identity Service",
"component_type": "service",
"environment": "ibm-cloud",
"control_specification_name": "iam-identity_authorized_ip_ranges_configured_for_the_account",
"control_specification_description": "Ensure authorized IP ranges are configured for the account",
"assessments": [
{
"assessment_type": "automated",
"assessment_method": "ibm-cloud-rule",
"assessment_description": "Check whether authorized IP ranges are configured for the account",
"assessment_id": "rule-238a6025-2522-4d36-831b-a32f81f97304",
"assessment_definition_type": "service_config"
}
]
"control_specification_id": "45248bae-562d-4266-8d07-301021f7635b",
"responsibility": "user"
}
]
}
],
"control_docs": {
"control_docs_id": "sc-7",
"control_docs_type": "ibm-cloud"
},
"control_requirement": true,
"status": "enabled"
}
]'
--version-group-label=33fc7b80-0fa5-4f16-bbba-1f293f660f0d
--control-library-version=1.0.0
--latest=true
--controls-count=38
--x-correlation-id=exampleString
--x-request-id=exampleString
使用 Terraform 创建库
您可以使用 Terraform 创建定制库。
resource "ibm_scc_control_library" "scc_control_library_instance" {
control_library_description = "My control library's description."
control_library_name = "control_library_new"
control_library_type = "predefined"
controls {
control_name = "control_name"
control_id = "1fa45e17-9322-4e6c-bbd6-1c51db08e790"
control_description = "My control's description."
control_category = "control_category"
control_parent = "control_parent"
control_tags = [ "control_tags" ]
control_specifications {
control_specification_id = "f3517159-889e-4781-819a-89d89b747c85"
responsibility = "user"
component_id = "f3517159-889e-4781-819a-89d89b747c85"
component_name = "componenet_name"
environment = "environment"
control_specification_description = "My control specification's description."
assessments_count = 1
assessments {
assessment_id = "assessment_id"
assessment_method = "assessment_method"
assessment_type = "assessment_type"
assessment_description = "My assessment's descriptions."
parameter_count = 1
parameters {
parameter_name = "parameter_name"
parameter_display_name = "parameter_display_name"
parameter_type = "string"
}
}
}
control_docs {
control_docs_id = "control_docs_id"
control_docs_type = "control_docs_type"
}
control_requirement = true
status = "enabled"
}
version_group_label = "e0923045-f00d-44de-b49b-6f1f0e8033cc"
}
有关更多信息,请查看 Terraform 参考。
后续步骤
将库添加到服务后,可以使用它来创建概要文件。 从库详细信息中,单击 操作> 创建概要文件 以开始评估资源。