XCCDF Data-Stream Generator from MongoDB

[remyluslosius]

Objective

Generate XCCDF 1.2 data-stream files from MongoDB compliance rules with XCCDF variables for scan-time customization.

Context

This implements Phase 1, Task 1.3 of the 7-phase hybrid scanning architecture plan. Builds on:

• Issue Enhanced ComplianceRule Model with XCCDF Variables #94 (XCCDFVariable model) - merged
• Issue Enhanced SCAP Converter with Variable Extraction #96 (SCAP converter with variable extraction) - PR [Phase 1] Enhanced SCAP Converter with Variable and Remediation Extraction #97

Requirements

1. XCCDF Benchmark Generator

Generate compliant XCCDF 1.2 XML from MongoDB rules:

• <xccdf:Benchmark> with metadata (title, description, version)
• <xccdf:Profile> elements for framework selection (NIST, CIS, STIG, etc.)
• <xccdf:Value> elements for XCCDF variables
• <xccdf:Rule> elements with framework references
• <xccdf:Group> elements for categorization

2. XCCDF Tailoring File Generator

Generate XCCDF 1.2 tailoring files for scan-time variable customization:

<xccdf:Tailoring>
  <xccdf:Profile id="custom_profile">
    <xccdf:set-value idref="var_accounts_tmout">600</xccdf:set-value>
    <xccdf:set-value idref="login_banner_text">Authorized Access Only</xccdf:set-value>
  </xccdf:Profile>
</xccdf:Tailoring>

3. OVAL Definitions Integration

Reference existing OVAL checks or generate placeholders:

• <oval:oval_definitions> component in data-stream
• <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
• <xccdf:check-content-ref> linking to OVAL test IDs

4. Service Layer

Create XCCDFGeneratorService with methods:

• generate_benchmark(framework, version, rule_ids)
• generate_tailoring(profile_id, variable_overrides)
• generate_datastream(benchmark, oval_defs)

Implementation Plan

Files to Create

1. backend/app/services/xccdf_generator_service.py - Core XCCDF generation logic
2. backend/app/api/v1/endpoints/xccdf_api.py - API endpoints for XCCDF generation
3. backend/app/schemas/xccdf_schemas.py - Pydantic schemas for requests/responses

Code Structure

class XCCDFGeneratorService:
    def __init__(self, db: AsyncIOMotorDatabase):
        self.db = db
        self.namespaces = {...}

    async def generate_benchmark(
        self,
        framework: str,
        version: str,
        rule_filter: Optional[Dict] = None
    ) -> str:
        """Generate XCCDF Benchmark XML"""
        pass

    async def generate_tailoring(
        self,
        benchmark_id: str,
        profile_id: str,
        variable_overrides: Dict[str, str]
    ) -> str:
        """Generate XCCDF Tailoring XML"""
        pass

    def _create_xccdf_value(self, variable: XCCDFVariable) -> ET.Element:
        """Create <xccdf:Value> element"""
        pass

    def _create_xccdf_rule(self, rule: ComplianceRule) -> ET.Element:
        """Create <xccdf:Rule> element"""
        pass

    def _create_xccdf_profile(
        self,
        profile_id: str,
        framework: str,
        rule_ids: List[str]
    ) -> ET.Element:
        """Create <xccdf:Profile> element"""
        pass

API Endpoints

@router.post("/xccdf/generate-benchmark")
async def generate_benchmark(
    framework: str,
    version: str,
    rule_filter: Optional[Dict] = None
) -> XCCDFBenchmarkResponse:
    """Generate XCCDF Benchmark XML"""
    pass

@router.post("/xccdf/generate-tailoring")
async def generate_tailoring(
    benchmark_id: str,
    variable_overrides: Dict[str, str]
) -> XCCDFTailoringResponse:
    """Generate XCCDF Tailoring XML"""
    pass

Testing Requirements

Unit Tests

• Test XCCDF Benchmark generation with sample rules
• Test XCCDF Value element creation with constraints
• Test XCCDF Profile generation with framework selection
• Test XCCDF Tailoring generation with variable overrides

Integration Tests

• Generate benchmark from MongoDB rules (NIST 800-53r5)
• Generate tailoring file with custom variable values
• Validate generated XML against XCCDF 1.2 XSD schema
• Test with oscap command-line tool:

  oscap xccdf eval --profile test_profile --tailoring-file custom.xml benchmark.xml

Validation

# Validate XCCDF Benchmark
oscap xccdf validate benchmark.xml

# Validate XCCDF Tailoring
oscap xccdf validate --schematron tailoring.xml

# Generate HTML guide from benchmark
oscap xccdf generate guide --profile nist_800_53_r5 benchmark.xml > guide.html

Acceptance Criteria

• XCCDF Benchmark generated from MongoDB rules
• XCCDF Value elements created for variables with constraints
• XCCDF Profile elements created per framework (NIST, CIS, STIG)
• XCCDF Tailoring files generated with variable overrides
• Generated XML validates with oscap xccdf validate
• API endpoints available (/api/v1/xccdf/generate-benchmark)
• Unit tests passing (90%+ coverage)
• Integration tests with real MongoDB data passing
• Documentation updated with examples

Dependencies

• Requires: Issue Enhanced SCAP Converter with Variable Extraction #96 merged (SCAP converter with variables)
• Blocks: Issue chore(deps): bump actions/download-artifact from 3 to 5 #4 (MongoDB-Based Scan Service)

Estimated Time

7-10 days

Branch Name

feature/xccdf-generator

Related Documentation

• XCCDF 1.2 Specification: https://csrc.nist.gov/publications/detail/nistir/7275/rev-4/final
• OVAL 5.11 Specification: https://oval.mitre.org/language/version5.11/
• OpenSCAP Developer Guide: https://www.open-scap.org/resources/documentation/