From e7c5b3df7618f4afd2db306a6ae0e34bcc4f77ed Mon Sep 17 00:00:00 2001 From: "cldocid2@us.ibm.com" Date: Tue, 15 Oct 2024 12:58:07 +0000 Subject: [PATCH] Update: 15-10-2024 --- attachments.md | 12 +++++++--- available-profiles.md | 4 ++-- best-practices.md | 6 ++--- custom-library.md | 4 ++-- custom-profile.md | 4 ++-- custom-rule.md | 6 ++--- framework/architecture-workload-isolation.md | 9 ++++---- framework/at-events.md | 4 ++-- framework/disaster-recovery.md | 4 ++-- framework/endpoints.md | 9 +++----- framework/event-notifications.md | 8 +++---- framework/external-logs.md | 8 +++---- framework/iam.md | 4 ++-- framework/responsibilities.md | 14 +++++------- getting-started.md | 6 ++--- integrations/caveonix.md | 4 ++-- integrations/integrations.md | 8 +++---- integrations/workloadprotection.md | 4 ++-- known-issues.md | 6 ++--- landing.json | 2 +- limits.md | 12 +++++----- overview.md | 8 +++---- profile-versioning.md | 5 ++-- releases.md | 18 ++++++++++++--- results.md | 14 ++++++------ scopes.md | 7 +++--- tutorials/osco-v2.md | 7 +++--- tutorials/tags.md | 24 ++++++++++---------- 28 files changed, 111 insertions(+), 110 deletions(-) diff --git a/attachments.md b/attachments.md index a606b29a..b33bc92c 100644 --- a/attachments.md +++ b/attachments.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: attachment, scan resources, scc, run evaluation @@ -49,9 +49,15 @@ To create an attachment, you can use the {{site.data.keyword.compliance_short}} 6. Select the scope that you want to target. Then, click **Next**. The scopes that are available in this view are filtered only to those scopes that contain resources that can be evaluated against your selected profile. If you aren't seeing the scope that you created, select a different profile or adjust the resources included in your scope. - {: tip} + {: tip} -7. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**. +7. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**. + + An annotation is a note that a user can add to a control. While these can be anything, typically they are used to highlight how your organization manages, mitigates, or remediates a control. For example, if you are looking at Control ID A.10.11 - Encryption of data, you might add the following test procedures as an annotation. + + * Verify that encryption is enabled on all storage volumes containing sensitive data by inspecting system configurations. + * Review a sample of transmission logs to ensure data in transit is being encrypted using TLS 1.2 or higher. + * Conduct a key management audit to confirm that keys are being stored securely and are rotated as required. 8. Define your scan settings. diff --git a/available-profiles.md b/available-profiles.md index a7cbd291..cab28512 100644 --- a/available-profiles.md +++ b/available-profiles.md @@ -2,7 +2,7 @@ copyright: years: 2024 -lastupdated: "2024-07-09" +lastupdated: "2024-10-15" keywords: best practices, security and compliance, governance, profile, predefined profiles, benchmark, controls, goals, security, compliance @@ -62,6 +62,6 @@ The following profiles are available for you to use in {{site.data.keyword.compl | NIST SP 800-53 | Validate that your resource configurations meet the baselines requirements that are identified by the National Institute of Standards and Technology | Multi-environment | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-nist-800-53-change-log) | | PCI | Validate that your resource configurations meet the baseline requirements that are identified by the Payment Card Industry Data Security Standard. | Multi-environment | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-pci-dss-change-log) | | SOC 2 | Validate that your resource configurations meet the baselines requirements that are identified in the Service Organization Control reports issued by the American Institute of Certified Public Accountants. | {{site.data.keyword.cloud_notm}} | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-soc2-change-log) | -{: caption="Table 2. Available predefined profiles" caption-side="top"} +{: caption="Available predefined profiles" caption-side="top"} **Integration required* diff --git a/best-practices.md b/best-practices.md index c95ba9e3..5e877150 100644 --- a/best-practices.md +++ b/best-practices.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-03-19" +lastupdated: "2024-10-15" keywords: scc best practices, enterprise, scc access @@ -61,7 +61,7 @@ A scope defines which resources in your accounts are evaluated. It is defined wh Check out the following diagram to see how three attachments can co-exist within an enterprise. -![The image shows how two attachments are applied across an enterprise. One rule moves down the hierarchy. Another rule is attached only to a specific account, so its properties are applied only to the resources that it contains.](images/access-model.svg){: caption="Figure 1. Attachment hierarchy" caption-side="bottom"} +![The image shows how two attachments are applied across an enterprise. One rule moves down the hierarchy. Another rule is attached only to a specific account, so its properties are applied only to the resources that it contains.](images/access-model.svg){: caption="Attachment hierarchy" caption-side="bottom"} Attachment A : In Attachment A, the target scope is the full enterprise. As you can see, all account groups and accounts that exist within the enterprise are evaluated. That is, unless they have been purposefully excluded. @@ -83,5 +83,3 @@ When you work with {{site.data.keyword.compliance_short}} outside of the enterpr You can select a single {{site.data.keyword.compliance_short}} instance in your main account to monitor a list of other target accounts (and their resources) and environments. This {{site.data.keyword.compliance_short}} instance in your main account must have access to scan resources in multiple target accounts for {{site.data.keyword.cloud_notm}} resources. You can define multiple scopes for each target account in an attachment. You can create multiple attachments that distribute accounts across multiple attachments. For example, you can select 1 to 200 accounts in a single attachment scope. Then, you can select 201 to 400 accounts in the next attachment scope. - - diff --git a/custom-library.md b/custom-library.md index 14db5ca7..60309835 100644 --- a/custom-library.md +++ b/custom-library.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: custom profiles, user-defined, controls, goals, security, compliance @@ -19,7 +19,7 @@ subcollection: security-compliance With {{site.data.keyword.compliance_full}}, you can create a custom control library that is specific to your organization's needs. You define the controls and specifications before you map previously created assessments. {: shortdesc} -![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Figure 1. Understanding control libraries" caption-side="bottom"} +![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Understanding control libraries" caption-side="bottom"} A control library is a grouping of controls that are added to {{site.data.keyword.compliance_short}}. The service offers several predefined libraries that are designed to help meet compliance for a specific use case. Each control has several specifications and assessments that are mapped to it. A specification is a defined requirement that is specific to a component. When met by an organization, the specification helps to ensure that they are compliant with the control. An assessment, or several, are mapped to each specification with a detailed evaluation that is done to check whether the specification is compliant. For more information, see [Key Concepts](/docs/security-compliance?topic=security-compliance-posture-management). diff --git a/custom-profile.md b/custom-profile.md index 5a5b8190..dd035fc3 100644 --- a/custom-profile.md +++ b/custom-profile.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: custom profiles, user-defined, controls, goals, security, compliance @@ -20,7 +20,7 @@ With {{site.data.keyword.compliance_full}}, you can take advantage of predefined {: shortdesc} -![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/profile.svg){: caption="Figure 1. Understanding profiles" caption-side="bottom"} +![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/profile.svg){: caption="Understanding profiles" caption-side="bottom"} A profile is a grouping of controls that can be evaluated for compliance. In {{site.data.keyword.compliance_short}}, you can work with predefined profiles, or you can create a profile by selecting controls that have already been added to a control library. Controls already have specifications and assessments that are associated with them, but you can choose to create your own. To learn more about each entity, see [Key Concepts](/docs/security-compliance?topic=security-compliance-posture-management). diff --git a/custom-rule.md b/custom-rule.md index fd65c79c..e021bef1 100644 --- a/custom-rule.md +++ b/custom-rule.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: custom profiles, user-defined, controls, goals, security, compliance @@ -103,7 +103,7 @@ String-based operators are case-sensitive. | `num_greater_than` | Numeric | The property value is numerically greater than the condition value. | Yes | | `num_greater_than_equals` | Numeric | The property value is numerically greater than or equal to the condition value. | Yes | | `days_less_than` | Numeric | The property value is less than the condition value. | Yes | -{: caption="Table 3. Supported operator types" caption-side="top"} +{: caption="Supported operator types" caption-side="top"} [^string_equals]: To include multiple values, use an array. For example, `{"value": ["A", "B," "C"]}`. @@ -135,7 +135,7 @@ Most often, rules are more complex than a single property. To create more comple 2. If any of the three options are true. 3. If A is true or if B and C are both true. -![The diagram shows the correlation between multiple conditions. The information is conveyed in the surrounding text.](images/config-rules-property.svg){: caption="Figure 1. The ways in which properties can relate to each other." caption-side="bottom"} +![The diagram shows the correlation between multiple conditions. The information is conveyed in the surrounding text.](images/config-rules-property.svg){: caption="The ways in which properties can relate to each other." caption-side="bottom"} diff --git a/framework/architecture-workload-isolation.md b/framework/architecture-workload-isolation.md index 3fdecc74..850d7204 100644 --- a/framework/architecture-workload-isolation.md +++ b/framework/architecture-workload-isolation.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-08-07" +lastupdated: "2024-10-15" keywords: public isolation for {{site.data.keyword.compliance_short}}, compute isolation for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} architecture, workload isolation in {{site.data.keyword.compliance_short}} @@ -27,13 +27,13 @@ Review the following architecture for {{site.data.keyword.compliance_full}} and Check out the following image to see how the service workloads are isolated and managed. -![This image shows the workload isolation for the {{site.data.keyword.compliance_short}} service.](../images/architecture.svg){: caption="Figure 1. Workload isolation" caption-side="bottom"} +![This image shows the workload isolation for the {{site.data.keyword.compliance_short}} service.](../images/architecture.svg){: caption="Workload isolation" caption-side="bottom"} | Component | Description | |:----------|:------------| | Control plane | The microservices that make up the individual components of the service run in the control plane, where they are isolated from the other components. Additionally, internal dependencies are run and isolated as part of the control plane. | | Data plane | | -{: caption="Table 1. IBM-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"} +{: caption="IBM-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"} {: #ibm-managed} {: tab-title="IBM"} {: tab-group="arch-manage"} @@ -43,7 +43,7 @@ Check out the following image to see how the service workloads are isolated and |:----------|:------------| | {{site.data.keyword.cloud_notm}} services | As you interact with {{site.data.keyword.compliance_short}}, you are responsible for the instances of the other services that you chose to interact with through the service. | | {{site.data.keyword.at_short}} | As you interact with the service, a log of the events that are generated can be found in your instance of {{site.data.keyword.at_short}}. | -{: caption="Table 1. Customer-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"} +{: caption="Customer-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"} {: #customer-managed} {: tab-title="Customer"} {: tab-group="arch-manage"} @@ -55,4 +55,3 @@ Check out the following image to see how the service workloads are isolated and {: #workload-isolation} Each regional deployment of the {{site.data.keyword.compliance_short}} serves multiple tenants and can be accessed through public endpoints. By default, all data at rest is encrypted by IBM keys. Data in transit is encrypted by using TLS. Your data is isolated from other customers' data, but it does share physical resources such as CPU, memory, and I/O devices. - diff --git a/framework/at-events.md b/framework/at-events.md index 9b96a410..303487cd 100644 --- a/framework/at-events.md +++ b/framework/at-events.md @@ -1,7 +1,7 @@ --- copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: Activity Tracker for {{site.data.keyword.compliance_short}}, LogDNA for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} security, audit logs for {{site.data.keyword.compliance_short}}, viewing {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} events @@ -62,4 +62,4 @@ You must use a paid plan for the {{site.data.keyword.at_short}} service to see e | `compliance.admin-settings.list` | View {{site.data.keyword.compliance_short}} settings for your account. | | `compliance.admin-settings.update` | Update {{site.data.keyword.compliance_short}} settings for your account. | | `compliance.admin-test-event.send` | Send a test event to a connected {{site.data.keyword.en_short}} service instance. | -{: caption="Table 1. List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"} +{: caption="List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"} diff --git a/framework/disaster-recovery.md b/framework/disaster-recovery.md index 410aa5b3..e5eb51f9 100644 --- a/framework/disaster-recovery.md +++ b/framework/disaster-recovery.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-01-03" +lastupdated: "2024-10-15" keywords: HA for {{site.data.keyword.compliance_short}}, DR for {{site.data.keyword.compliance_short}}, high availability for {{site.data.keyword.compliance_short}}, disaster recovery for {{site.data.keyword.compliance_short}}, failover for {{site.data.keyword.compliance_short}}, BC for {{site.data.keyword.compliance_short}}, business continuity for {{site.data.keyword.compliance_short}}, disaster recovery for {{site.data.keyword.compliance_short}} @@ -43,7 +43,7 @@ For more information about configuring Cloud Object Storage, including how to ma | --------------------------- | ------------ | | RPO | 12 hours | | RTO | 4 hours | -{: caption="Table 1. RPO and RTO for {{site.data.keyword.compliance_short}}" caption-side="bottom"} +{: caption="RPO and RTO for {{site.data.keyword.compliance_short}}" caption-side="bottom"} If you require continuous scans while the primary region is unavailable, you can provision a new instance of {{site.data.keyword.compliance_short}} by using a new Cloud Object Storage bucket. However, you cannot access previous scan result data until the regional service is restored. {: tip} diff --git a/framework/endpoints.md b/framework/endpoints.md index f2d86559..9f2d55db 100644 --- a/framework/endpoints.md +++ b/framework/endpoints.md @@ -2,7 +2,7 @@ copyright: years: "2024" -lastupdated: "2024-04-23" +lastupdated: "2024-10-15" keywords: security compliance developer tools, integrate with application, API, SDK, CLI @@ -42,7 +42,7 @@ Review the following table to determine the API endpoints to use when you connec | Frankfurt | **Public:** `https://eu-de.compliance.cloud.ibm.com/instances/{instance_id}/v3` \n \n **Private:** `https://private.eu-de.compliance.cloud.ibm.com/instances/{instance_id}/v3` | | Toronto | **Public:** `https://ca-tor.compliance.cloud.ibm.com/instances/{instance_id}/v3` \n \n **Private:** `https://private.ca-tor.compliance.cloud.ibm.com/instances/{instance_id}/v3` | | Madrid | **Public:** `https://eu-es.compliance.cloud.ibm.com/instances/{instance_id}/v3` \n \n **Private:** `https://private.eu-es.compliance.cloud.ibm.com/instances/{instance_id}/v3` | -{: caption="Table 1. Endpoints for interacting with {{site.data.keyword.compliance_short}}" caption-side="top"} +{: caption="Endpoints for interacting with {{site.data.keyword.compliance_short}}" caption-side="top"} @@ -69,9 +69,6 @@ Replace the variables in the example request according to the following table. | `region` | The region abbreviation that represents the geographic area where your {{site.data.keyword.compliance_short}} is located. For example, `us-south` or `eu-de`. | | `url_encoded_instance_CRN` | The Cloud Resource Name (CRN) that uniquely identifies your {{site.data.keyword.compliance_short}} service instance. The value must be URL encoded. | | `IAM_token` | Your {{site.data.keyword.cloud_notm}} IAM access token. | -{: caption="Table 3. Required parameters for retrieving service endpoints with the API" caption-side="top"} +{: caption="Required parameters for retrieving service endpoints with the API" caption-side="top"} A successful request returns the endpoint URLs that are associated with the region and service instance CRN that you specify. - - - diff --git a/framework/event-notifications.md b/framework/event-notifications.md index 64427f0b..a2a6dab2 100644 --- a/framework/event-notifications.md +++ b/framework/event-notifications.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: event notifications for {{site.data.keyword.compliance_short}}, event notifications integration for {{site.data.keyword.compliance_short}}, alerts for {{site.data.keyword.compliance_short}} @@ -29,7 +29,7 @@ Review the following sections to learn about the events that are generated by sp | `com.ibm.cloud.compliance.posture` | `posture-scan-completed` | An event is sent when a scan is complete. | | `com.ibm.cloud.compliance.posture` | `posture-scan-failure-threshold-limit-exceeds` | An event is sent when your specified threshold of failed controls is met. | | `com.ibm.cloud.compliance.posture` | `posture-scan-new-resource-in-inventory` | An event is sent when a new resource is found in your inventory. | -{: caption="Table 1. List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"} +{: caption="List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"} @@ -48,7 +48,7 @@ Events that are generated by the {{site.data.keyword.compliance_short}} can be f Before you can enable notifications for {{site.data.keyword.compliance_short}}, be sure that you have an [{{site.data.keyword.en_short}} service instance](/catalog/services/event-notifications){: external} that is in the same account. Then, you can use the **Settings > Event Notifications** section in the {{site.data.keyword.compliance_short}} UI to connect the services. -![The image shows the {{site.data.keyword.en_short}} screen in the Security and Compliance Center UI.](../images/event-notifications.svg){: caption="Figure 1. Connecting to {{site.data.keyword.en_short}}" caption-side="bottom"} +![The image shows the {{site.data.keyword.en_short}} screen in the Security and Compliance Center UI.](../images/event-notifications.svg){: caption="Connecting to {{site.data.keyword.en_short}}" caption-side="bottom"} 1. In the {{site.data.keyword.cloud_notm}} console, go to the **Resource list** page and select your instance of {{site.data.keyword.compliance_short}}. 2. In your instance of {{site.data.keyword.compliance_short}}, go to the **Settings** page. @@ -438,4 +438,4 @@ Review the following table for more information about event notification propert | `profile` | The name of the profile that is associated with the scan.| | `start_time` | The date and time the scan started. | | `end_time` | The date and time the scan completed. | -{: caption="Table 2. Properties in an event notification payload" caption-side="bottom"} +{: caption="Properties in an event notification payload" caption-side="bottom"} diff --git a/framework/external-logs.md b/framework/external-logs.md index 0e8b40c0..5c8fef00 100644 --- a/framework/external-logs.md +++ b/framework/external-logs.md @@ -1,7 +1,7 @@ --- copyright: years: 2020, 2024 -lastupdated: "2024-02-27" +lastupdated: "2024-10-15" keywords: LogDNA for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} logging, {{site.data.keyword.compliance_short}} external logs @@ -69,7 +69,7 @@ Table 4 outlines the fields that are included in each log record: | `requestId` | Optional | Identifier of the associated request. | | `resolution` | Optional | Guidance on how to proceed if you receive this log record. | | `documentUrls` | Optional | More information on how to proceed if you receive this log record. | -{: caption="Table 4. Log record fields" caption-side="top"} +{: caption="Log record fields" caption-side="top"} ## Log messages {: #logging_msgs} @@ -87,6 +87,4 @@ The following table lists the message IDs that are generated by the {{site.data. | `compliance.00007E` | ERROR | Billing plan validation failed. | `attachmentID`, `scanType` | Most likely your trial-period has ended, please check and upgrade your plan. To continue to work with the service. | | `compliance.00008E` | ERROR | Scan failed. | `scanID` | Scan failed due to an unexpected error, please create support case with the necessary information like correlationId. | | `compliance.00009E` | ERROR | Unable to store report in Cloud Object Storage bucket. | `scanID` | Validate the configuration of your Cloud Object Storage bucket associated with this Security and Compliance instance. | -{: caption="Table 5. Message IDs" caption-side="top"} - - +{: caption="Message IDs" caption-side="top"} diff --git a/framework/iam.md b/framework/iam.md index 9765d572..48ecc04d 100644 --- a/framework/iam.md +++ b/framework/iam.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-07" +lastupdated: "2024-10-15" keywords: IAM access for {{site.data.keyword.compliance_short}}, permissions for {{site.data.keyword.compliance_short}}, identity and access management for {{site.data.keyword.compliance_short}}, roles for {{site.data.keyword.compliance_short}}, actions for {{site.data.keyword.compliance_short}}, assigning access for {{site.data.keyword.compliance_short}} @@ -80,7 +80,7 @@ Last year, {{site.data.keyword.compliance_short}} transitioned from a global ser | `compliance.targets.read` | View targets. | Viewer | Reader | | `compliance.targets.update` | Update a target. | Editor | Writer | | `compliance.targets.delete` | Delete a target. | Editor | Writer | -{: caption="Table 1. IAM user roles and actions" caption-side="top"} +{: caption="IAM user roles and actions" caption-side="top"} [^attach-1]: To create an attachment within an enterprise, you must also have permissions for the enterprise. You can provide Administrator access to the entire enterprise or create a custom role using the actions found in the following section. diff --git a/framework/responsibilities.md b/framework/responsibilities.md index d26b4cdd..b7a7526d 100644 --- a/framework/responsibilities.md +++ b/framework/responsibilities.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-03-01" +lastupdated: "2024-10-15" keywords: responsibilities for {{site.data.keyword.compliance_short}} @@ -32,7 +32,7 @@ Incident and operations management includes tasks such as monitoring, event mana | Monitor the system | Provide integration with select third-party partnership technologies, such as {{site.data.keyword.cloud_notm}} Activity Tracker. | Use the provided tools to review instance logs and activities. | | Incident management | Provide notifications for planned maintenance, security bulletins, or unplanned outages. | Set preferences to receive emails about platform notifications, and monitor the {{site.data.keyword.cloud_notm}} status page for general announcements. | {: row-headers} -{: caption="Table 1. Responsibilities for incident and operations" caption-side="bottom"} +{: caption="Responsibilities for incident and operations" caption-side="bottom"} {: summary="The first column describes the task that the customer or IBM might be responsibility for. The second column describes {{site.data.keyword.IBM_notm}} responsibilities for that task. The third column describes your responsibilities as the customer for that task."} @@ -46,7 +46,7 @@ Change management includes tasks such as deployment, configuration, upgrades, pa | Updates, fixes, and new features | IBM provides regular updates and bug fixes, as well as new features following a continuous delivery model in a manner transparent to the customer. | | | Updates, fixes, or the delivery of new profiles | Release updates and new profiles in accordance with changing compliance requirements. Notify customers of changes made through release notes and change logs. | Review change logs to understand the updates and migrate to the new profile by creating new attachments. | {: row-headers} -{: caption="Table 2. Responsibilities for change management" caption-side="bottom"} +{: caption="Responsibilities for change management" caption-side="bottom"} {: summary="The first column describes the task that the customer or IBM might be responsibility for. The second column describes {{site.data.keyword.IBM_notm}} responsibilities for that task. The third column describes your responsibilities as the customer for that task."} @@ -59,7 +59,7 @@ Identity and access management includes tasks such as authentication, authorizat |----------|-----------------------|--------| | Restricting access | Provide the ability to control user access based on role. | Use Identity and Access Management (IAM) to assign access. | {: row-headers} -{: caption="Table 3. Responsibilities for identity and access management" caption-side="bottom"} +{: caption="Responsibilities for identity and access management" caption-side="bottom"} {: summary="The first column describes the task that the customer or IBM might be responsibility for. The second column describes {{site.data.keyword.IBM_notm}} responsibilities for that task. The third column describes your responsibilities as the customer for that task."} ## Security and regulation compliance @@ -71,7 +71,7 @@ Security and regulation compliance includes tasks such as security controls impl |----------|-----------------------|--------| | Meet security and compliance objectives | Provide a secure service that complies with key standards. For more information about data security, see [How do I know that my data is safe](/docs/overview?topic=overview-security)? | Ensure that you are properly securing your workloads and data so that you are meeting the regulatory standards for your organization. For more information about bucket requirements for results storage, see [Storing and processing data](/docs/security-compliance?topic=security-compliance-storage). | {: row-headers} -{: caption="Table 4. Responsibilities for security and regulation compliance" caption-side="bottom"} +{: caption="Responsibilities for security and regulation compliance" caption-side="bottom"} {: summary="The first column describes the task that the customer or IBM might be responsibility for. The second column describes {{site.data.keyword.IBM_notm}} responsibilities for that task. The third column describes your responsibilities as the customer for that task."} ## Disaster recovery @@ -86,7 +86,5 @@ Disaster recovery includes tasks such as providing dependencies on disaster reco | Recovery of configuration | Conduct recovery in the original region when availability is returned. | | | Recovery of scan results | | Conduct recovery of your Cloud Object Storage data according to best practices. | {: row-headers} -{: caption="Table 5. Responsibilities for disaster recovery" caption-side="bottom"} +{: caption="Responsibilities for disaster recovery" caption-side="bottom"} {: summary="The first column describes the task that the customer or IBM might be responsibility for. The second column describes {{site.data.keyword.IBM_notm}} responsibilities for that task. The third column describes your responsibilities as the customer for that task."} - - diff --git a/getting-started.md b/getting-started.md index 121e6c38..dee3627f 100644 --- a/getting-started.md +++ b/getting-started.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: getting started with the security and compliance center, get started, security, compliance @@ -87,9 +87,9 @@ To evaluate your resources, you must create an attachment. An attachment pairs t 5. Select the scope that you want to target. Then, click **Next**. The scopes that are available in this view are filtered only to those scopes that contain resources that can be evaluated against your selected profile. If you aren't seeing the scope that you created, select a different profile or adjust the resources included in your scope. - {: tip} + {: tip} -6. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**. +6. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**. 7. Define your scan settings. diff --git a/integrations/caveonix.md b/integrations/caveonix.md index 7641cfc7..b8e0556d 100644 --- a/integrations/caveonix.md +++ b/integrations/caveonix.md @@ -2,7 +2,7 @@ copyright: years: 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: Centralized security, workload protection, compliance monitoring, compliance, scan, sysdig, multicloud, multi-cloud, azure, amazon, aws @@ -20,7 +20,7 @@ You can configure Caveonix Cloud Platform to send results to {{site.data.keyword To learn more about how the integration is configured, check out the following diagram. -![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/caveonix.svg){: caption="Figure 1. Caveonix integration flow" caption-side="bottom"} +![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/caveonix.svg){: caption="Caveonix integration flow" caption-side="bottom"} 1. Configure {{site.data.keyword.compliance_short}} by creating an instance, connecting a Cloud Object Storage bucket to store results, and registering Caveonix as an integration. Then, create an attachment to start seeing results. 2. Configure Caveonix to send results to {{site.data.keyword.compliance_short}}. diff --git a/integrations/integrations.md b/integrations/integrations.md index 723c8b9f..8b8a3b5b 100644 --- a/integrations/integrations.md +++ b/integrations/integrations.md @@ -2,7 +2,7 @@ copyright: years: 2024 -lastupdated: "2024-01-10" +lastupdated: "2024-10-15" keywords: Centralized security, compliance monitoring, compliance, integration @@ -26,7 +26,7 @@ To fully understand your security and compliance landscape across multiple cloud Depending on the integration, {{site.data.keyword.compliance_short}} obtains the data about your current compliance posture differently. You might be required to configure the integration in another product or it might be automatically pulled after the configuration is established. Check out the following image to learn more about the different patterns that are used in the service. -![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/data-model.svg){: caption="Figure 1. Data model options" caption-side="bottom"} +![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/data-model.svg){: caption="Data model options" caption-side="bottom"} @@ -42,7 +42,7 @@ The following integrations are available in {{site.data.keyword.compliance_short | Toolchain |The Toolchain service pushes results to {{site.data.keyword.compliance_short}} and {{site.data.keyword.compliance_short}} pulls results from Toolchain depending on the configuration. | [![Note icon](../../icons/note_icon.svg)](/docs/devsecops?topic=devsecops-cd-devsecops-scc-toolchains) | | Caveonix | Caveonix pushes results to {{site.data.keyword.compliance_short}} | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-setup-caveonix) | | CyberStrong | {{site.data.keyword.compliance_short}} forwards results | [![Note icon](../../icons/note_icon.svg)](https://support.cybersaint.io/hc/en-us/categories/8496076077165-Knowledge-Library) | -{: caption="Table 1. Available integrations" caption-side="bottom"} +{: caption="Available integrations" caption-side="bottom"} @@ -50,5 +50,3 @@ The following integrations are available in {{site.data.keyword.compliance_short {: #integrations-existing} After you create integrations between {{site.data.keyword.compliance_short}} and another product, you can easily find all existing integrations. To find a particular integration that is already registered with {{site.data.keyword.compliance_short}}, navigate to the **Integrations** page in the {{site.data.keyword.compliance_short}} UI. - - diff --git a/integrations/workloadprotection.md b/integrations/workloadprotection.md index 299606f1..ffb5e658 100644 --- a/integrations/workloadprotection.md +++ b/integrations/workloadprotection.md @@ -2,7 +2,7 @@ copyright: years: 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: Centralized security, workload protection, compliance monitoring, compliance, scan, sysdig, multicloud, multi-cloud, azure, amazon, aws @@ -22,7 +22,7 @@ You can pull results from multiple environments, including Amazon Web Services a To learn more about how the integration is configured, check out the following diagram. -![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/workload-protection.svg){: caption="Figure 1. {{site.data.keyword.sysdigsecure_short}} integration flow" caption-side="bottom"} +![The image shows the sequence of events that a user follows as part of setting up the integration.](../images/workload-protection.svg){: caption="{{site.data.keyword.sysdigsecure_short}} integration flow" caption-side="bottom"} 1. Register an Cloud Object Storage bucket to store results. 1. Create an instance of {{site.data.keyword.sysdigsecure_short}} from the {{site.data.keyword.cloud_notm}} catalog. diff --git a/known-issues.md b/known-issues.md index 85e1181e..3d882810 100644 --- a/known-issues.md +++ b/known-issues.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-08-07" +lastupdated: "2024-10-15" keywords: known limitations, rules, limits, configuration, ibm remediation, ssh key @@ -22,6 +22,4 @@ When you work with {{site.data.keyword.compliance_full}}, you might encounter th | Issue | Workaround | |:-------|:-----------| | You cannot create a second integration. | Only one integration can be created for each name or URL. If you need to update your integration in some way, delete the integration and create a new one. | -{: caption="Table 1. Known issues and workarounds" caption-side="top"} - - +{: caption="Known issues and workarounds" caption-side="top"} diff --git a/landing.json b/landing.json index b4cad2fb..24d2bf0b 100644 --- a/landing.json +++ b/landing.json @@ -1,6 +1,6 @@ { "title": "Security and Compliance Center docs", - "lastupdated": "2024-10-08", + "lastupdated": "2024-10-15", "introduction": "With IBM Cloud Security and Compliance Center, you can embed security checks into your every day workflows to help monitor for security and compliance.", "section_devtools": { "api": "/apidocs/security-compliance", diff --git a/limits.md b/limits.md index 5c480f7e..f7b3dcce 100644 --- a/limits.md +++ b/limits.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: known limitations, rules, limits, configuration, ibm remediation, ssh key @@ -24,7 +24,7 @@ subcollection: security-compliance | Attachments | 50 per account | | Scans | 1 per attachment at a time | | Exclusions | 1000 per attachment | -{: caption="Table 1. {{site.data.keyword.compliance_short}} Limits" caption-side="top"} +{: caption="{{site.data.keyword.compliance_short}} Limits" caption-side="top"} {: #attachment-limits} {: tab-title="Attachments"} {: tab-group="limits"} @@ -34,7 +34,7 @@ subcollection: security-compliance |:--------|:-------| | Scopes | 1000 per instance /n 300 per attachment | | Subscopes | 300 per scope | -{: caption="Table 1. {{site.data.keyword.compliance_short}} Limits" caption-side="top"} +{: caption="{{site.data.keyword.compliance_short}} Limits" caption-side="top"} {: #scope-limits} {: tab-title="Scopes"} {: tab-group="limits"} @@ -48,7 +48,7 @@ subcollection: security-compliance | Controls | 1200 per profile | | Specifications | 100 per control | | Assessments | 10 per specification | -{: caption="Table 1. {{site.data.keyword.compliance_short}} Limits" caption-side="top"} +{: caption="{{site.data.keyword.compliance_short}} Limits" caption-side="top"} {: #profile-limits} {: tab-title="Profiles"} {: tab-group="limits"} @@ -67,7 +67,7 @@ subcollection: security-compliance | Specifications | 100 per control | | Specification description | 1024 characters | | Assessments | 10 per specification | -{: caption="Table 1. {{site.data.keyword.compliance_short}} Limits" caption-side="top"} +{: caption="{{site.data.keyword.compliance_short}} Limits" caption-side="top"} {: #library-limits} {: tab-title="Control Libraries"} {: tab-group="limits"} @@ -82,7 +82,7 @@ subcollection: security-compliance | Conditions | 16 per rule | | Properties | 24 per condition | | Labels | 32 per rule | -{: caption="Table 1. {{site.data.keyword.compliance_short}} Limits" caption-side="top"} +{: caption="{{site.data.keyword.compliance_short}} Limits" caption-side="top"} {: #rule-limits} {: tab-title="Rules"} {: tab-group="limits"} diff --git a/overview.md b/overview.md index 784727b1..92f58202 100644 --- a/overview.md +++ b/overview.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-07" +lastupdated: "2024-10-15" keywords: security and compliance, secure development, security strategy @@ -27,14 +27,14 @@ Control Control library : A collection of predefined or custom controls. Control libraries show all the controls in your accounts that are available to be evaluated. A library is helpful for organizing and versioning of your controls. A library is structured as follows. - ![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Figure 1. Understanding control libraries" caption-side="bottom"} + ![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Understanding control libraries" caption-side="bottom"} Profile : A group of controls that are related to a specific compliance objective. Although very similar in structure to a control library, a profile can be attached to a set of resources and be evaluated. When you create the attachment, you can set the parameters that define the way that the evaluation is done. - ![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/kc-profile.svg){: caption="Figure 2. Understanding profiles in the new architecture" caption-side="bottom"} + ![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/kc-profile.svg){: caption="Understanding profiles in the new architecture" caption-side="bottom"} Specification : A statement that defines the specific security and privacy requirements that a control must meet. For example, `Check whether App ID Cloud Directory users aren't able to update their own accounts`. @@ -67,7 +67,7 @@ Report Now that you have an understanding of the various entities that exist within {{site.data.keyword.compliance_short}}, how do they work together? The following diagram details the user flows that you might take when you are working with {{site.data.keyword.compliance_short}}. -![A diagram that shows the relationship between the entities that you work with in the service.](images/terminology-flow.svg){: caption="Figure 1. Understanding the user flow for {{site.data.keyword.compliance_short}}" caption-side="bottom"} +![A diagram that shows the relationship between the entities that you work with in the service.](images/terminology-flow.svg){: caption="Understanding the user flow for {{site.data.keyword.compliance_short}}" caption-side="bottom"} 1. As a security or compliance focal, choose a predefined profile that is most suitable for your organization. Optionally you can customize the profile by creating custom rules, adding or removing rules, or building your own profile based on the catalog of controls. 2. To start scanning your resources, create an attachment of the profile to the scope of resources you want to scan. You can optionally customize parameters of the controls when you create the attachment. diff --git a/profile-versioning.md b/profile-versioning.md index 17f64727..3ed7110f 100644 --- a/profile-versioning.md +++ b/profile-versioning.md @@ -2,7 +2,7 @@ copyright: years: 2024 -lastupdated: "2024-10-07" +lastupdated: "2024-10-15" keywords: best practices, security and compliance, governance, profile, predefined profiles, profile versioning, benchmark, controls, goals, security, compliance @@ -21,7 +21,7 @@ With profile versioning, you can upgrade to the latest version of an {{site.data As of 1 April 2024, profile versions that were created more than 90 days ago will be deprecated if a newer version of the profile is available. After 365 days elapse, a deprecated profile version is removed and all attachments that use this version are removed from your {{site.data.keyword.compliance_short}} instance. {: important} -![The diagram shows a graphical view of the versioning timeline. The information is conveyed in the surrounding text.](images/versioning.svg){: caption="Figure 1. Profile versioning timeline" caption-side="bottom"} +![The diagram shows a graphical view of the versioning timeline. The information is conveyed in the surrounding text.](images/versioning.svg){: caption="Profile versioning timeline" caption-side="bottom"} For example, if version 1.0.0 of a profile is released in January 2025 and then version 1.1.0 is released in April 2025, version 1.1.0 becomes the latest version of the profile. Because 90 days have elapsed since version 1.0.0 was released, this profile version is immediately deprecated when version 1.1.0 is released. Version 1.0.0 will be removed in April 2026, 365 days after deprecation. @@ -65,4 +65,3 @@ You can upgrade your attachment to use the new profile version anytime during th You can't create a new attachment to a deprecated profile version through the {{site.data.keyword.compliance_short}} UI. However, you can do so using the [API](/apidocs/security-compliance?code=curl#create-attachment) until the deprecated profile version expires. {: tip} - diff --git a/releases.md b/releases.md index b7948c62..d97c9669 100644 --- a/releases.md +++ b/releases.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: release notes for {{site.data.keyword.compliance_short}}, what's new, enhancements, fixes, improvements @@ -21,8 +21,20 @@ The following changes to the service were made available with the associated dat -Control annotations -: You can now add annotations to controls to include important details or notes related to the controls in a profile. The annotations are visible in the results and are added as part of the creating an attachment flow. Additionally, the audit history for annotations can be used to track any changes or updates made to them over time. To get started with annotations, [create an attachment](/docs/security-compliance?topic=security-compliance-attachments). + +## 15 October 2024 +{: #security-compliance-oct1524} +{: release-note} + +Rules changes are available +: The following rule was updated. + + * Check whether Virtual Private Cloud (VPC) has no rules in the default security group. Rule ID: `rule-96527f89-1867-4581-b923-1400e04661e0` + +Control annotations +: You can now add annotations to controls to include important details or notes related to the controls in a profile. The annotations are visible in the results and are added as part of the creating an attachment flow. Additionally, the audit history for annotations can be used to track any changes or updates made to them over time. To get started with annotations, [create an attachment](/docs/security-compliance?topic=security-compliance-attachments). + + ## 7 October 2024 {: #security-compliance-Oct0724} diff --git a/results.md b/results.md index fa8007b4..bc385845 100644 --- a/results.md +++ b/results.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-08" +lastupdated: "2024-10-15" keywords: custom profiles, user-defined, controls, goals, security, compliance @@ -40,7 +40,7 @@ Before you get started, be sure that you have the following prerequisites. As you evaluate your resources, the results are returned via the service UI in graphical and detailed formats. -![A visual representation of the service dashboard. The concepts are fully explained in the surrounding text.](images/dashboard.svg){: caption="Figure 2. Example dashboard" caption-side="bottom"} +![A visual representation of the service dashboard. The concepts are fully explained in the surrounding text.](images/dashboard.svg){: caption="Example dashboard" caption-side="bottom"} When you visit the dashboard, there are three graphical representations of data that have been aggregated from your scans. You see the: @@ -64,7 +64,7 @@ When you view results in {{site.data.keyword.compliance_short}}, each evaluation | Fail | Your resource was not compliant with the defined standard. | | Unable to perform | The assessment could not be performed. Potential reasons include the resource not existing in your account, a misconfiguration, or an error on behalf of {{site.data.keyword.compliance_short}}. | | User evaluation required | The assessment has not yet been automated. To validate that you are meeting the standard, you must check your resource manually. | -{: caption="Table 2. Understanding result statuses} +{: caption="Understanding result statuses} @@ -86,10 +86,10 @@ A page opens with an **Overview** of your results. To further investigate, you c | | Description | |:---|:---------| -| Overview | On the overview tab, you are provided with a graphical representation of your compliance for your selected scan. \n ![A visual representation of detailed results that are returned when an evaluation is run.](images/results-overview-tab.svg){: caption="Figure 2. Example overview tab results" caption-side="bottom"} \n \n **Success rate**: The rate at which your configurations pass the evaluation that is conducted. \n \n **Total controls**: The total number of controls that were evaluated during this scan. \n \n **Drift**: The difference in results for your selected evaluation timeframe. | -| Controls | On the **Controls** tab, you are provided with an overview of the controls that were evaluated. The controls and their compliance status are listed for the time that the scan was done. \n ![A visual representation of control annotation per control on evaluation report.] (images/results-controls-tab.svg){: caption="Figure 3. Example control tab results" caption-side="bottom"}
click on view history link to view audit history \n (images/results-controls-annotation-history-tab.svg){: caption="Figure 4. Example annotation history" caption-side="bottom"}| -| Resources | On the **Resources** tab, you are provided with the results for each specific resource that was evaluated. \n ![A visual representation of detailed results that are returned when an evaluation is run.](images/results-resources-tab.svg){: caption="Figure 5. Example results tab results" caption-side="bottom"}

In the **JSON** tab, you can see the assessment definition. | -{: caption="Table 1. Understanding detailed results" caption-side="top"} +| Overview | On the overview tab, you are provided with a graphical representation of your compliance for your selected scan. \n ![A visual representation of detailed results that are returned when an evaluation is run.](images/results-overview-tab.svg){: caption="Example overview tab results" caption-side="bottom"} \n \n **Success rate**: The rate at which your configurations pass the evaluation that is conducted. \n \n **Total controls**: The total number of controls that were evaluated during this scan. \n \n **Drift**: The difference in results for your selected evaluation timeframe. | +| Controls | On the **Controls** tab, you are provided with an overview of the controls that were evaluated. The controls and their compliance status are listed for the time that the scan was done. \n ![A visual representation of control annotation per control on evaluation report.] (images/results-controls-tab.svg){: caption="Example control tab results" caption-side="bottom"}
click on view history link to view audit history \n (images/results-controls-annotation-history-tab.svg){: caption="Example annotation history" caption-side="bottom"}| +| Resources | On the **Resources** tab, you are provided with the results for each specific resource that was evaluated. \n ![A visual representation of detailed results that are returned when an evaluation is run.](images/results-resources-tab.svg){: caption="Example results tab results" caption-side="bottom"}

In the **JSON** tab, you can see the assessment definition.
  • In the **Parameters** tab, you can see the parameters that are relevant to that resource.
  • In the **Noncompliant properties** tab, you are able to view which properties are noncompliant to begin remediating any issues that are found.
  • In the **Controls** tab, you are able to view which controls that the assessment is associated with.
    • In the **Additional details** tab, you can view the additional information that a specific provider might send with the evaluation results. This information might include, additional information, relevant links, or evidence.
| +{: caption="Understanding detailed results" caption-side="top"} {: row-headers} ## Viewing results with the API diff --git a/scopes.md b/scopes.md index 234fe26e..dd6c5d03 100644 --- a/scopes.md +++ b/scopes.md @@ -2,7 +2,7 @@ copyright: years: 2020, 2024 -lastupdated: "2024-10-07" +lastupdated: "2024-10-15" keywords: scope, subscope, view results access, @@ -64,7 +64,7 @@ To scan resources in another {{site.data.keyword.cloud_notm}}, you can use the { | All Account Management services | `Viewer` \n `Service Configuration Reader`| | Kubernetes Service | `Reader` \n `Viewer` \n `Administrator` \n `Service Configuration Reader` | | All Identity and Access enabled services | `Reader` \n `Viewer` \n `Service Configuration Reader` | - {: caption="Table 1. Required permissions for your trusted profile" caption-side="top"} + {: caption="Required permissions for your trusted profile" caption-side="top"} The Kubernetes Service access policy is required to run the Red Hat OpenShift Compliance Operator (OSCO) scan when an attachment is created. {: note} @@ -110,7 +110,7 @@ Currently, only Watson Machine Learning services require these steps. Additional | All Account Management services | `Viewer` \n `Service Configuration Reader`| | Kubernetes Service | `Reader` \n `Viewer` \n `Administrator` \n `Service Configuration Reader` | | All Identity and Access enabled services | `Reader` \n `Viewer` \n `Service Configuration Reader` | - {: caption="Table 2. Required permissions for your trusted profile" caption-side="top"} + {: caption="Required permissions for your trusted profile" caption-side="top"} 3. In your instance of {{site.data.keyword.secrets-manager_short}}, create an [arbitrary](/docs/secrets-manager?topic=secrets-manager-arbitrary-secrets) or [IAM credentials](/docs/secrets-manager?topic=secrets-manager-iam-credentials) secret to store the API key that you previously created. @@ -171,4 +171,3 @@ You can create a scope that contains resouces in other environments by using the 5. Review your selections and click **Create**. Next, [create an attachment](/docs/security-compliance?topic=security-compliance-attachments) to start evaluating your resources. - diff --git a/tutorials/osco-v2.md b/tutorials/osco-v2.md index 7135ddd7..04a9ff3b 100644 --- a/tutorials/osco-v2.md +++ b/tutorials/osco-v2.md @@ -1,8 +1,8 @@ --- copyright: - years: 2021, 2023 -lastupdated: "2023-10-11" + years: 2021, 2024 +lastupdated: "2024-10-15" keywords: goals, parameters, customize parameters, customize goals, security and compliance, @@ -37,7 +37,7 @@ Before you get started with this tutorial, be sure you have the prerequisites: |:--------|:--------------|:-------| | {{site.data.keyword.compliance_short}} | Compliance Management | Needed to enable a service-to-service authorization \n To view this role, you must be assigned the Administrator role for the service | | {{site.data.keyword.openshiftshort}} | Manager | Required to install OSCO | - {: caption="Table 1. Required user permissions" caption-side="top"} + {: caption="Required user permissions" caption-side="top"} ## Enable an authorization @@ -88,4 +88,3 @@ To scan your resources, you create an attachment between the resource that you w {: #osco-next} When the scan completes, your results become available in the {{site.data.keyword.compliance_short}} dashboard. Be sure to check back in a few hours to see what your results returned. - diff --git a/tutorials/tags.md b/tutorials/tags.md index b6c6a90e..cacc9877 100644 --- a/tutorials/tags.md +++ b/tutorials/tags.md @@ -2,7 +2,7 @@ copyright: years: 2021, 2024 -lastupdated: "2024-09-23" +lastupdated: "2024-10-15" keywords: customize rules, parameters, customize parameters, customize goals, security and compliance, tags @@ -49,7 +49,7 @@ Services that support resource tags have additional configuration properties suc 3. Enter a Description. For example: `Check if Event Notifications instances have production tags` 4. Select **Event Notifications** as the service in the **Target your resource** section - ![A visual representation of how to select the target service.](../images/target-your-resource.png){: caption="Figure 1. Example of setting the target resource" caption-side="bottom"} + ![A visual representation of how to select the target service.](../images/target-your-resource.png){: caption="Example of setting the target resource" caption-side="bottom"} 5. In the **Configure your properties** section, make the following selections. 1. Select **user_tags** as the property. @@ -57,18 +57,18 @@ Services that support resource tags have additional configuration properties suc 3. Enter **env:prod** as the value. 4. Click **Add to rule**. - ![A visual representation of how to select configure the resource properties.](../images/configure-properties.png){: caption="Figure 2. Example of configuring resource properties" caption-side="bottom"} + ![A visual representation of how to select configure the resource properties.](../images/configure-properties.png){: caption="Example of configuring resource properties" caption-side="bottom"} 6. Review the JSON of your rule to ensure that it is correct. - ![A visual representation of JSON.](../images/add-to-rule.png){: caption="Figure 3. Example of the rule JSON" caption-side="bottom"} + ![A visual representation of JSON.](../images/add-to-rule.png){: caption="Example of the rule JSON" caption-side="bottom"} 7. Click **Next**. 8. Review the full rule definition and click **Create**. Now you have a custom rule to check if Event Notifications resources have `env:prod` tag. -![A visual representation of Custom rule.](../images/custom-rule.png){: caption="Figure 4. Example of custom rule" caption-side="bottom"} +![A visual representation of Custom rule.](../images/custom-rule.png){: caption="Example of custom rule" caption-side="bottom"} ## Create a custom control library @@ -84,7 +84,7 @@ For {{site.data.keyword.compliance_short}} to use the control that you created, 1. Click **Create** in the **Group by control** section. 2. Provide the details of your control. - ![A visual representation of Custom control.](../images/create-control.png){: caption="Figure 5. Example of custom control" caption-side="bottom"} + ![A visual representation of Custom control.](../images/create-control.png){: caption="Example of custom control" caption-side="bottom"} 3. Add specifications to your control. 1. Click **Add**. @@ -93,11 +93,11 @@ For {{site.data.keyword.compliance_short}} to use the control that you created, 4. Select the rule that you created in the first step. 5. Click **Create**. - ![A visual representation of Custom control.](../images/control-specification.png){: caption="Figure 6. Example of control specification" caption-side="bottom"} + ![A visual representation of Custom control.](../images/control-specification.png){: caption="Example of control specification" caption-side="bottom"} 5. Click **Create**. -![A visual representation of Custom control.](../images/create-control-2.png){: caption="Figure 7. Example of custom control" caption-side="bottom"} +![A visual representation of Custom control.](../images/create-control-2.png){: caption="Example of custom control" caption-side="bottom"} Your control library has a single control in this example. You can always add additional controls as needed. @@ -120,7 +120,7 @@ To start evaluating your resources against your rule, you must add it to a profi 2. Select the **Custom** tab to view your custom control library. 3. Select the control library that you created in the previous step. - ![A visual representation of selecting a Custom control.](../images/select-cl.png){: caption="Figure 8. Example of selecting a custom control" caption-side="bottom"} + ![A visual representation of selecting a Custom control.](../images/select-cl.png){: caption="Example of selecting a custom control" caption-side="bottom"} 4. Select the control that you previously created. 5. Click **Next**. @@ -129,7 +129,7 @@ To start evaluating your resources against your rule, you must add it to a profi Now your custom rule is available within a profile to start evaluating your resources. -![A visual representation of a custom profile.](../images/custom-profile.png){: caption="Figure 9. Example of a custom profile" caption-side="bottom"} +![A visual representation of a custom profile.](../images/custom-profile.png){: caption="Example of a custom profile" caption-side="bottom"} ## Evaluate your resources {: #tutorial-tag-scan-resources} @@ -150,11 +150,11 @@ In {{site.data.keyword.compliance_short}}, evaluating your resources is done thr 6. If you want to go with the default scan settings (Scan running daily) then click on **Next** else modify the settings 7. Review and click on **Create** - ![A visual representation of an attachment.](../images/attachment.png){: caption="Figure 10. Example of an attachment" caption-side="bottom"} + ![A visual representation of an attachment.](../images/attachment.png){: caption="Example of an attachment" caption-side="bottom"} ## Next steps {: #tutorial-tag-create-next} When the scan completes, your results become available in the {{site.data.keyword.compliance_short}} dashboard. Review the results to see the resources that are not compliant. -![A visual representation of a the result.](../images/tag-result.png){: caption="Figure 11. Example of the result" caption-side="bottom"} +![A visual representation of a the result.](../images/tag-result.png){: caption="Example of the result" caption-side="bottom"}