Creating custom goals

A goal is a specific technical check that is performed on collected data. Groups of goals are mapped to applicable controls, which are used to evaluate compliance. IBM Z® Security and Compliance Center includes various predefined goals. In addition, you can create your own custom goals, which you can include in profiles for validation scans.

Before you begin

Ensure that you have the required level of access to create a custom goal. Only users with administrator access (compliance-admin) or ISV access (compliance-isv) can perform the actions that are mentioned in the instructions. For more information about roles, see User role mappings.

Vendor note: IBM recommends that any goals that you supply to clients are created by users who are assigned to the compliance-isv role.

Creating a custom goal

You can create a custom goal that is specific to your needs.

Follow these steps in the UI dashboard:
  1. Start of change

    If you have installed the 1.2.1.3 version of the zSCC, access the Compliance application installed in the zSCC platform. Click Installed Applications > Compliance > Configure > Goals in the navigation menu in the zSCC.

    If you have installed the 1.2.1.2 or a previous version of the zSCC, access the application. In the navigation menu, locate and click Goals.

    End of change
  2. Click Create.
  3. On the Goal details tab, give your goal a name and a meaningful description. For the name, use only alphanumeric characters and underscores. For example, if you are creating a goal that includes access-related checks, you might name this goal Access_Checks.

    The z/OS environment type is selected already; it cannot be changed.

  4. Click Next
  5. On the Select data fields tab:
    1. Select the component (a z/OS component or element) from the list provided, such as RACF or JES2.
    2. Select the resource type. This value is the specific SMF subtype to be used for collecting the data that you want to check as part of performing the goal.
    3. Select one or more SMF data fields that you want to check as part of performing the goal. The fields correspond to the SMF subtype that you selected for resource type.
  6. Click Next.
  7. On the Create goal logic step, indicate the conditions that satisfy the goal. To do so, use the logic builder to create one or more rules, as follows:
    1. Click Add AND/OR clause.
    2. Select an SMF data field.
    3. Specify the logical operator, such as equals ('==') or greater-than ('>').
    4. Enter the value of the field to be tested.
    5. Optionally, enable Make parameter modifiable? to allow the SMF data field to be modified on the Goals parameter page. By default, this option is not enabled.

    To create a compound goal, click Add IF clause to add more rules in groupings of one or two clauses.

    Notes:
    1. You can combine AND/OR clauses for specific checks, or nest IF clauses to create more complex logical expressions.
    2. Each level must contain two clauses. When you use an IF clause, be sure to include at least two AND/OR clauses or nest additional IF clauses for more complex logical expressions.
    3. In each AND/OR clause, you can specify field values for defining the conditions.

    Repeat the steps, adding groups of rules until you have the set of conditions that you want the goal to test.

  8. For Severity, indicate the importance of meeting the goal: Critical, High, Medium, or Low.
  9. For Success message, enter a text string to be displayed in the UI when the goal is satisfied. For example, Passed this check.
  10. For Failed message, enter a text string to be displayed in the UI when the goal is not satisfied. For example, Failed this check.
  11. Optionally, associate one or more tags with the goal by making selections from the Tags list. To add a custom tag, click Add Tag, which opens a window for you to name the tag and add it to the Tags list. A tag must be selected from the Tags list to be applied to the goal.

    If no tags are selected, the ZOS tag is applied by default.

  12. Click Next.
  13. On the Review step, check the details about the goal to be created. To return to a previous step to make a change, click Back. Otherwise, click Save to save the goal to IBM Z Security and Compliance Center.
Upon completion, the goal ID appears on the Goals list page and is also displayed in a message on the dashboard. For example:
A custom goal with ID 4000490002 has been successfully created.
In the example, notice the goal ID. Every goal ID assigned by IBM Z Security and Compliance Center follows this format:
  • The first digit indicates the environment; 4 indicates the z/OS environment.
  • The next five digits indicate the SMF record subtype, which is 00049 (subtype 49).
  • The last four digits are a range of values that indicates the source of the goal, as follows:
    • 1-5000 is reserved for independent software vendor (ISV) supplied goals.
    • 5001 - 9999 is reserved for user-supplied goals.

To see your custom goals, check the Goals page in the IBM Z Security and Compliance Center dashboard. A custom goal is indicated with the value Custom in the Type column.

Tip: Use the search bar to filter the list of available goals by description or keyword.

If you accidentally add a goal that you do not need, you can select Disable from the vertical menu to disable it. See Disable a custom goal.

Editing a custom goal

To edit a custom goal, do the following:
  1. In the Goals page, locate the custom goal to be edited.
  2. Click the overflow menu icon (three vertical dots) next to the goal row, then click Edit. Doing so displays the Edit goal page.
    On this page, you can:
    • Edit the goal name and description.
    • Edit the rules for the goal.
  3. When you finish editing the goal, click Save to save the goal. Or click Cancel to cancel your request.

If you no longer need to use a custom goal, you can disable it. If you do so, it cannot be used in future scans.

Before you disable a goal, you might want to make a copy of it for reference. For instructions, see Exporting a custom goal.

Reset a custom goal to its previous settings (rollback)

To restore a custom goal to its previous settings, do the following:
  1. In the Goals page in the IBM Z Security and Compliance Center dashboard, locate the goal to be reset. A custom goal is indicated with the value Custom in the Type column.
  2. Click the overflow menu icon (three vertical dots) next to the goal row, then click Rollback.
  3. In the confirmation window, click Rollback to reset the goal. Or click Cancel to cancel your request.
Note: It is not possible to roll back a goal to a version earlier than Version 1.

Disable a custom goal

To disable a custom goal, do the following:
  1. In the Goals page in the IBM Z Security and Compliance Center dashboard, locate the goal to be diasbled.
  2. Click the overflow menu icon (three vertical dots) next to the goal row, then click Disable.
  3. In the confirmation window, click Disable to disable the goal. Or click Cancel to cancel your request.

The disabled goal is automatically removed from any profiles with which it is associated.

Exporting a custom goal

You can make copies of one or more custom goals by exporting them in a compressed file (.zip).

Follow these steps in the UI dashboard:
  1. In the navigation, click Configure > Goals.
  2. From the list of goals, select the goals that you want to export by selecting the corresponding checkboxes. You can export multiple goals at one time.
  3. At the top-right corner of the table, click Export.

You can download the exported file to your workstation.

Importing a custom goal

Your installation might receive custom goals from another administrator or an independent software vendor (ISV). The goals are provided in the form of a compressed file (.zip) that contains one or more goals that are represented by JSON files.

To import goals into IBM Z Security and Compliance Center, follow these steps in the UI dashboard:
  1. In the navigation, click Goals.
  2. Click Import.
  3. Under Add custom goals, select Add file. Then browse to the directory in your workstation that contains the goals file, which is a compressed file (.zip).
  4. Select the file.

After a goal is added to IBM Z Security and Compliance Center, it becomes available for your use in creating custom profiles.

Enabling a custom goal

To enable a custom goal that is disabled, follow these steps in the UI dashboard:
  1. In the Goals page, locate the goal to be enabled.
  2. Select the goal. Then click Enable from the vertical menu at the end of the table row.

The goal is enabled.

The enabled goal has no mapping references to any existing profiles. You must create the mapping references manually.