Creating a custom policy from a template
You can create custom policies in IBM Cloud® Security and Compliance Center Workload Protection.
Complete the following steps to create a new policy with no prior policy as a base:
Before you begin
-
In a policy, you can configure requirement groups to define the hierarchy and structure of controls in a policy.
You can define 1 or more requirement groups per policy.
Requirement groups are not shared between policies.
-
In a requirement group, you can define 1 or more requirements. A requirement includes 1 or more controls.
Requirements are not shared between policies.
To reuse a requirement from another policy, you must create a new requirement group and requirement, and then link the wanted controls.
Step 1. Create a policy
Complete the following steps to create a policy that uses an existing policy as a template::
-
Create a policy draft by duplicating an existing policy in one of the following ways:
-
Click New Policy and for Duplicate from select the policy to be duplicated from the menu.
-
Click the Actions icon next to the policy that you want to use as a template and click Duplicate.
-
-
Enter a Name and Desription for the policy.
-
Click Save.
Your policy is saved in a
Draft
state and you can configure the policy details.
If you create a new policy by duplicating an existing policy, the new policy is displayed with the requirements and controls that are copied from the duplicated policy. If you create a policy without duplicating an existing policy, the requirements and controls are blank.
Step 2. Add requirement groups
Complete the following steps to create a requirement group:
-
Open your policy by accessing the Posture Policies view and clicking the policy that you want to update.
-
Click New Group.
-
Enter the requirement group name and description.
-
Click Save. The new group is displayed.
-
You can optionally create subgroups.
-
Click the Actions icon next to the requirement group where you want to create a subgroup.
-
Click New Subgroup.
-
Enter the subgroup name and description.
-
Click Save.
-
Step 3. Add a requirement
Complete the following steps to add a requirement:
-
Click the Actions icon next to the requirement group or requirements subgroup where you want to add a requirement.
-
Click New Requirement.
-
Enter the requirement name and description.
-
Click Save.
Step 4. Link controls to a requirement
Complete the following steps to link controls to a requirement:
-
Open your policy by accessing the Posture Policies view and clicking the policy to update.
-
Click the requirement within a requirement group in your policy.
-
Click Link Controls. All available controls are displayed with the top-20 listed first.
You can filter the list by:
- Severity
- The severity that is assigned to the control: high (H), medium (M), or low (L).
- Type
- The infrastructure type. For example, cluster, host, identity, or resource.
- Target
- The specfic platforms or distributions that a control evaluates resources against.
You can also search on any word, or part of a word, in the control name.
Multiple filters can be specified to create more specific filter expressions.
-
Click Link for the control to link to the policy.
-
Repeat these steps to link more controls as needed.
If you need to unlink a control, hover over the linked control and click Unlink.
Step 5. Publish the policy
After configuring your policy, you need to publish the policy so that it is used in compliance evaluations.
These steps are only available for policies in draft state. The publish option is not available for policies that are already published.
-
Open your policy by accessing the Posture Policies view and clicking the policy that you want to publish.
-
Click Publish and confirm that you want your policy published.
The date published is the date that the policy is activated.
If you change a published policy, the policy is reevaluated in the environment, and new results are displayed in the Compliance view. It can take a few minutes for the reevaluation to run and results to be refreshed.