Problem
STIG_CONTROLS in stigsentry/core.py is a hand-curated sample of 8 STIG
IDs → NIST 800-53 mappings (clearly labeled as a public sample). On real systems
the operator runs a full SCAP/SCC benchmark with hundreds of rules per STIG, so
the vast majority of findings currently fall through to the SS-UNK-* "Unknown
STIG ID" low-severity bucket and lose their NIST/CCI provenance.
Proposal
Add an XCCDF/SCAP benchmark loader so stigsentry can ingest DISA's published
benchmark content (the *-xccdf.xml files inside a STIG .zip) and build the
stig_id → {title, nist, sev, cci} table from it, falling back to the built-in
sample when no benchmark is supplied.
- Parse the XCCDF
<Rule> elements: @severity (high/medium/low → our Severity
band), <title>, the CCI-* refs under <ident>, and the version/V- id.
- Resolve CCI → 800-53 via DISA's
U_CCI_List.xml (see related issue).
- Cache the parsed table through the existing
datafeeds layer so it works
air-gapped after a one-time import.
Why it matters
This is the difference between a demo crosswalk and a tool an ISSO can point at
their actual SCC output and get a complete, mapped POA&M.
Acceptance
scan(target, benchmark="path/to/U_RHEL_9_STIG_xccdf.xml") builds the table
from the benchmark.
- Findings whose STIG ID is in the benchmark carry NIST + CCI; the built-in
sample remains the default when no benchmark is given (no API break).
Problem
STIG_CONTROLSinstigsentry/core.pyis a hand-curated sample of 8 STIGIDs → NIST 800-53 mappings (clearly labeled as a public sample). On real systems
the operator runs a full SCAP/SCC benchmark with hundreds of rules per STIG, so
the vast majority of findings currently fall through to the
SS-UNK-*"UnknownSTIG ID" low-severity bucket and lose their NIST/CCI provenance.
Proposal
Add an XCCDF/SCAP benchmark loader so stigsentry can ingest DISA's published
benchmark content (the
*-xccdf.xmlfiles inside a STIG.zip) and build thestig_id → {title, nist, sev, cci}table from it, falling back to the built-insample when no benchmark is supplied.
<Rule>elements:@severity(high/medium/low → our Severityband),
<title>, theCCI-*refs under<ident>, and the version/V-id.U_CCI_List.xml(see related issue).datafeedslayer so it worksair-gapped after a one-time import.
Why it matters
This is the difference between a demo crosswalk and a tool an ISSO can point at
their actual SCC output and get a complete, mapped POA&M.
Acceptance
scan(target, benchmark="path/to/U_RHEL_9_STIG_xccdf.xml")builds the tablefrom the benchmark.
sample remains the default when no benchmark is given (no API break).