Skip to content

Enhanced ComplianceRule Model with XCCDF Variables #94

Closed
#95
Closed
Enhanced ComplianceRule Model with XCCDF Variables#94
#95
@remyluslosius

Description

@remyluslosius
remyluslosius
opened on Oct 15, 2025

Phase 1, Task 1.1: Enhanced ComplianceRule Model with XCCDF Variables

Branch: feature/xccdf-variable-support
Estimated Time: 3-4 days
Epic: Phase 1: DISA STIGs & CIS Benchmarks with OSCAP

Objective

Add support for XCCDF variables to the ComplianceRule model, enabling scan-time customization of compliance checks (e.g., session timeouts, login banners, password policies).

Implementation Details

1. Create XCCDFVariable Model

Add new Pydantic model for XCCDF variable definitions:

class XCCDFVariable(BaseModel):
    """XCCDF variable definition for scan-time customization"""
    id: str  # e.g., "var_accounts_tmout"
    title: str
    description: Optional[str] = None
    type: str  # "string", "number", "boolean"
    default_value: str
    interactive: bool = True
    sensitive: bool = False
    constraints: Optional[Dict[str, Any]] = None

2. Update ComplianceRule Model

Add three new fields to support hybrid scanning architecture:

class ComplianceRule(Document):
    # Existing fields...
    
    # NEW: XCCDF Variables
    xccdf_variables: Optional[Dict[str, XCCDFVariable]] = Field(
        default=None,
        description="XCCDF variables that can be customized at scan time"
    )
    
    # NEW: Scanner routing
    scanner_type: str = Field(
        default="oscap",
        description="Scanner to use: oscap, inspec, python, cloud_api, etc."
    )
    
    # NEW: Remediation content
    remediation: Optional[Dict[str, Any]] = Field(
        default=None,
        description="Remediation content for ORSA plugins (Ansible, Bash, etc.)"
    )

3. MongoDB Indexes

Create indexes for performance:

  • scanner_type - For routing rules to appropriate scanners
  • Update existing indexes if needed

Testing Requirements

  • Unit tests for XCCDFVariable validation
  • Unit tests for constraints validation (min/max, choices, patterns)
  • Integration tests for MongoDB CRUD with new fields
  • Migration script to update existing rules (add default values)
  • Test sensitive variable handling

Acceptance Criteria

  • XCCDFVariable model implemented with validation
  • ComplianceRule model updated with 3 new fields
  • MongoDB indexes created
  • All existing tests pass
  • New tests have >90% coverage
  • Migration script tested on dev database
  • API documentation updated

Dependencies

  • None (first task in Phase 1)

Next Steps

After this PR is merged:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions