Skip to content

Ingest full DISA SCAP/XCCDF benchmarks instead of the 8-entry built-in crosswalk #7

Description

@cognis-digital

Problem

STIG_CONTROLS in stigsentry/core.py is a hand-curated sample of 8 STIG
IDs → NIST 800-53 mappings (clearly labeled as a public sample). On real systems
the operator runs a full SCAP/SCC benchmark with hundreds of rules per STIG, so
the vast majority of findings currently fall through to the SS-UNK-* "Unknown
STIG ID" low-severity bucket and lose their NIST/CCI provenance.

Proposal

Add an XCCDF/SCAP benchmark loader so stigsentry can ingest DISA's published
benchmark content (the *-xccdf.xml files inside a STIG .zip) and build the
stig_id → {title, nist, sev, cci} table from it, falling back to the built-in
sample when no benchmark is supplied.

  • Parse the XCCDF <Rule> elements: @severity (high/medium/low → our Severity
    band), <title>, the CCI-* refs under <ident>, and the version/V- id.
  • Resolve CCI → 800-53 via DISA's U_CCI_List.xml (see related issue).
  • Cache the parsed table through the existing datafeeds layer so it works
    air-gapped after a one-time import.

Why it matters

This is the difference between a demo crosswalk and a tool an ISSO can point at
their actual SCC output and get a complete, mapped POA&M.

Acceptance

  • scan(target, benchmark="path/to/U_RHEL_9_STIG_xccdf.xml") builds the table
    from the benchmark.
  • Findings whose STIG ID is in the benchmark carry NIST + CCI; the built-in
    sample remains the default when no benchmark is given (no API break).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions