[Phase 1] Enhanced SCAP Converter with Variable and Remediation Extraction#97
Merged
Merged
Conversation
Phase 1, Task 1.1: Enhanced ComplianceRule Model with XCCDF Variables Implements Solution A (XCCDF Variables) for hybrid scanning architecture, enabling scan-time customization of compliance checks. New Model: XCCDFVariable - Supports string, number, and boolean variable types - Validation for constraints (min/max, choices, patterns) - Sensitive variable handling (encrypted storage, masked UI) - Interactive flag for UI/API customization ComplianceRule Enhancements: 1. xccdf_variables: Dict[str, XCCDFVariable] - Variables for scan-time customization 2. scanner_type: str - Route rules to appropriate scanner (oscap, python, aws_api, etc.) 3. remediation: Dict - ORSA (Open Remediation Standard Adapter) plugin content MongoDB Indexes: - Added 'scanner_type' index for routing performance - Added compound index: (scanner_type, is_latest) for latest rules by scanner Testing: - XCCDFVariable creation and validation ✅ - Constraint validation (numeric, string, regex) ✅ - Model serialization (exclude_none) ✅ - ComplianceRule backward compatibility ✅ References: - Issue #94 - /docs/REMEDIATION_WITH_XCCDF_VARIABLES.md - /docs/ADVANCED_SCANNING_ARCHITECTURE.md - /docs/IMPLEMENTATION_PLAN_7_PHASES.md 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
Implements enhanced SCAP converter with XCCDF variable and remediation content extraction for Solution A hybrid scanning architecture. ## New Components ### 1. SCAP YAML Parser Service (scap_yaml_parser_service.py) - **XCCDFVariableExtractor**: Extracts XCCDF variables from SCAP YAML rules - Variable type inference (string, number, boolean) - Constraint detection (min/max values, string lengths, regex patterns) - Sensitive variable marking (passwords, keys, credentials) - Template variable extraction - **RemediationExtractor**: Extracts remediation content - Ansible task generation from templates (sysctl, file, service, package) - Bash script generation for simple remediation - Supports separate remediation files (ansible/shared.yml, bash/shared.sh) - **ScannerTypeDetector**: Detects scanner type from rule metadata - kubernetes: yamlfile_value templates with ocp_data - aws_api, azure_api, gcp_api: Cloud-specific templates - oscap: Traditional OVAL-based checks (default) ### 2. Enhanced SCAP Converter Updates - Added --extract-variables flag for XCCDF variable extraction - Added --extract-remediation flag for remediation content extraction - Integrated scap_yaml_parser_service for metadata extraction - Populates xccdf_variables, remediation, scanner_type fields (from Issue #94) ## Testing Tested with real SCAP content: **Kubernetes Rule** (ocp_insecure_allowed_registries_for_import): - Scanner Type: kubernetes ✅ - Variables: check_existence, values ✅ **Mock Sysctl Rule** (net.ipv4.ip_forward): - Scanner Type: oscap ✅ - Variables: sysctlvar (string), sysctlval (boolean) ✅ - Ansible Remediation: ansible.posix.sysctl task ✅ - Bash Remediation: sysctl -w command + /etc/sysctl.conf ✅ ## Usage ```bash # Extract variables only python -m backend.app.cli.scap_to_openwatch_converter_enhanced convert \ --scap-path /path/to/scap/content \ --output-path /output/dir \ --format json \ --extract-variables # Extract variables + remediation python -m backend.app.cli.scap_to_openwatch_converter_enhanced convert \ --scap-path /path/to/scap/content \ --output-path /output/dir \ --format json \ --extract-variables \ --extract-remediation ``` ## Implementation Notes - Variable extraction handles template vars (most reliable source) - Type inference from naming conventions (timeout→number, banner→string) - Remediation extraction supports 12 template types (sysctl, file, service, etc.) - Scanner detection based on template name and file path - All Phase 1 fields are optional with defaults (backward compatible) ## Related Issues - Closes: #96 (Enhanced SCAP Converter with Variable Extraction) - Requires: #94 (XCCDFVariable Model) - merged - Blocks: #97 (XCCDF Data-Stream Generator) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| ) | ||
|
|
||
| @validator('type') | ||
| def validate_type(cls, v): |
Check notice
Code scanning / CodeQL
First parameter of a method is not named 'self' Note
Copilot Autofix
AI 8 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| return v | ||
|
|
||
| @validator('constraints') | ||
| def validate_constraints(cls, v, values): |
Check notice
Code scanning / CodeQL
First parameter of a method is not named 'self' Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, we need to ensure the first parameter of the validate_constraints method is named self because @validator without additional flags expects an instance method, not a class method. This requires changing the method signature from def validate_constraints(cls, v, values): to def validate_constraints(self, v, values):. All internal references to cls in that method should be changed to self, although in this case, it appears none are used. No changes to the decorator or the call sites are necessary. The only change is within the body of the class PlatformImplementation in the file backend/app/models/mongo_models.py, on the lines defining the validate_constraints method.
Suggested changeset
1
backend/app/models/mongo_models.py
| @@ -237,7 +237,7 @@ | ||
| return v | ||
|
|
||
| @validator('constraints') | ||
| def validate_constraints(cls, v, values): | ||
| def validate_constraints(self, v, values): | ||
| """Validate constraints match the variable type""" | ||
| if not v: | ||
| return v |
Copilot is powered by AI and may make mistakes. Always verify output.
| """ | ||
|
|
||
| import re | ||
| from typing import Dict, List, Any, Optional, Set |
Check notice
Code scanning / CodeQL
Unused import Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
The correct way to fix this problem is to remove only the unused imported symbol List from the import statement on line 14 in backend/app/services/scap_yaml_parser_service.py. There is no reason to alter any other part of the file, as the other imported types, (Dict, Any, Optional, Set), are all used. The fix is to delete just the List item from the import statement, ensuring that the codebase remains clean and avoids unnecessary dependencies.
Suggested changeset
1
backend/app/services/scap_yaml_parser_service.py
| @@ -11,7 +11,7 @@ | ||
| """ | ||
|
|
||
| import re | ||
| from typing import Dict, List, Any, Optional, Set | ||
| from typing import Dict, Any, Optional, Set | ||
| from pathlib import Path | ||
| import logging | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
9 tasks
remyluslosius
added a commit
that referenced
this pull request
Oct 15, 2025
Implements XCCDF 1.2 compliant benchmark and tailoring file generation
from MongoDB compliance rules for Solution A hybrid scanning architecture.
## New Components
### 1. XCCDF Generator Service (xccdf_generator_service.py - 550 lines)
- **generate_benchmark()**: Creates XCCDF 1.2 Benchmark XML from MongoDB rules
- Generates XCCDF Value elements for variables with constraints
- Creates Groups for rule categorization
- Generates Profiles per framework (NIST, CIS, STIG, etc.)
- Proper XCCDF 1.2 ID formatting: xccdf_<reverse-DNS>_<type>_<name>
- **generate_tailoring()**: Creates XCCDF Tailoring files for variable overrides
- Allows environment-specific customization (dev, staging, prod)
- set-value elements for variable overrides
- Extends base profiles without modifying benchmark
- **XCCDF 1.2 Compliance**:
- Benchmark IDs: xccdf_com.hanalyx.openwatch_benchmark_{name}
- Rule IDs: xccdf_com.hanalyx.openwatch_rule_{name}
- Value IDs: xccdf_com.hanalyx.openwatch_value_{name}
- Group IDs: xccdf_com.hanalyx.openwatch_group_{category}
- Profile IDs: xccdf_com.hanalyx.openwatch_profile_{framework}_{version}
### 2. XCCDF API Endpoints (xccdf_api.py - 220 lines)
- **POST /api/v1/xccdf/generate-benchmark**: Generate XCCDF Benchmark
- **POST /api/v1/xccdf/generate-tailoring**: Generate XCCDF Tailoring file
- **GET /api/v1/xccdf/frameworks**: List available frameworks and versions
- **GET /api/v1/xccdf/variables**: List customizable XCCDF variables
### 3. Pydantic Schemas (xccdf_schemas.py - 150 lines)
- XCCDFBenchmarkRequest/Response
- XCCDFTailoringRequest/Response
- XCCDFValidationRequest/Response
## XCCDF Structure Generated
### Benchmark XML
\`\`\`xml
<xccdf:Benchmark id="xccdf_com.hanalyx.openwatch_benchmark_nist_800_53r5">
<xccdf:status>draft</xccdf:status>
<xccdf:title>NIST 800-53r5 Benchmark</xccdf:title>
<xccdf:version>1.0.0</xccdf:version>
<!-- Variables -->
<xccdf:Value id="xccdf_com.hanalyx.openwatch_value_var_accounts_tmout" type="number">
<xccdf:title>Session Timeout</xccdf:title>
<xccdf:value>600</xccdf:value>
<xccdf:lower-bound>60</xccdf:lower-bound>
<xccdf:upper-bound>3600</xccdf:upper-bound>
</xccdf:Value>
<!-- Groups & Rules -->
<xccdf:Group id="xccdf_com.hanalyx.openwatch_group_authentication">
<xccdf:Rule id="xccdf_com.hanalyx.openwatch_rule_accounts_tmout">
<xccdf:title>Set Interactive Session Timeout</xccdf:title>
<xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<xccdf:check-content-ref href="oscap-definitions.xml"/>
</xccdf:check>
</xccdf:Rule>
</xccdf:Group>
<!-- Profiles -->
<xccdf:Profile id="xccdf_com.hanalyx.openwatch_profile_nist_800_53r5">
<xccdf:title>NIST 800-53r5</xccdf:title>
<xccdf:select idref="xccdf_com.hanalyx.openwatch_rule_accounts_tmout" selected="true"/>
</xccdf:Profile>
</xccdf:Benchmark>
\`\`\`
### Tailoring XML
\`\`\`xml
<xccdf:Tailoring id="production_tailoring">
<xccdf:version>1.0</xccdf:version>
<xccdf:benchmark href="benchmark.xml"/>
<xccdf:Profile id="nist_800_53r5_production" extends="nist_800_53r5">
<xccdf:title>Production Environment</xccdf:title>
<xccdf:set-value idref="xccdf_com.hanalyx.openwatch_value_var_accounts_tmout">300</xccdf:set-value>
</xccdf:Profile>
</xccdf:Tailoring>
\`\`\`
## Usage
### Generate Benchmark
\`\`\`python
POST /api/v1/xccdf/generate-benchmark
{
"benchmark_id": "nist-800-53r5",
"title": "NIST SP 800-53 Revision 5",
"description": "Security controls for federal information systems",
"version": "1.0.0",
"framework": "nist",
"framework_version": "800-53r5"
}
\`\`\`
### Generate Tailoring
\`\`\`python
POST /api/v1/xccdf/generate-tailoring
{
"tailoring_id": "prod_tailoring",
"benchmark_href": "nist-800-53r5.xml",
"profile_id": "xccdf_com.hanalyx.openwatch_profile_nist_800_53r5",
"variable_overrides": {
"xccdf_com.hanalyx.openwatch_value_var_accounts_tmout": "300"
}
}
\`\`\`
### Scan with Generated Files
\`\`\`bash
# Generate benchmark via API, save to file
curl -X POST /api/v1/xccdf/generate-benchmark ... > benchmark.xml
# Generate tailoring via API
curl -X POST /api/v1/xccdf/generate-tailoring ... > tailoring.xml
# Scan with oscap
oscap xccdf eval \\
--profile xccdf_com.hanalyx.openwatch_profile_nist_800_53r5 \\
--tailoring-file tailoring.xml \\
--results results.xml \\
benchmark.xml
\`\`\`
## Implementation Notes
### XCCDF 1.2 ID Requirements
- All IDs must follow pattern: `xccdf_<reverse-DNS>_<type>_<name>`
- Reverse DNS: `com.hanalyx.openwatch`
- Types: benchmark, profile, group, rule, value
- Names: Derived from MongoDB rule_id, category, framework, etc.
### Variable Constraints
- Number types: lower-bound, upper-bound elements
- String types: choice elements for enums, match for regex patterns
- Boolean types: No additional constraints needed
### Profile Generation
- One profile per framework version found in rules
- Profiles automatically select matching rules via xccdf:select
- Tailoring extends profiles without modifying benchmark
## Testing
Manual XCCDF validation shows ID format requirements working correctly:
- ✅ Benchmark IDs properly formatted
- ✅ Value IDs with xccdf_ prefix
- ✅ Rule IDs with xccdf_ prefix
- ✅ Group IDs with xccdf_ prefix
- ✅ Profile IDs with xccdf_ prefix
Integration testing with real MongoDB data pending PR #97 merge.
## Related Issues
- Closes: #98
- Requires: #96 (SCAP converter with variables) - PR #97 pending
- Blocks: #99 (MongoDB-Based Scan Service)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This was referenced Oct 15, 2025
remyluslosius
added a commit
that referenced
this pull request
Oct 15, 2025
…ash Executors
Implements complete ORSA (OpenWatch Remediation and Security Automation) plugin
architecture for automated remediation execution after compliance scans.
## New Components (7 files, ~2,500 lines)
### 1. MongoDB Models (backend/app/models/remediation_models.py - 330 lines)
**Purpose**: Track remediation execution lifecycle and results
**Key Models**:
- RemediationResult: Complete execution record with rollback support
- Tracks status: pending → running → completed/failed/rolled_back
- Stores stdout/stderr, changes made, variables applied
- Audit log with timestamped actions
- Rollback content and execution tracking
- BulkRemediationJob: Batch remediation coordinator
- Progress tracking (total, completed, failed counts)
- Success rate calculation
- Individual remediation ID tracking
- RemediationRequest/BulkRemediationRequest: API request schemas
- RemediationSummary: Aggregated statistics
**Indexes**: remediation_id, rule_id, status, executed_by, scan_id, created_at
### 2. Base Executor Interface (backend/app/services/remediators/base_executor.py - 280 lines)
**Purpose**: Abstract interface for all remediation executors
**Design Pattern**: Strategy pattern for pluggable executors
**Key Features**:
- Abstract methods: execute(), rollback(), validate_content(), supports_target()
- Capability system: DRY_RUN, ROLLBACK, IDEMPOTENT, VARIABLE_SUBSTITUTION, REMOTE_EXECUTION
- Custom exceptions: ExecutorNotAvailableError, ExecutorValidationError, ExecutorExecutionError
- Variable substitution: {{var}} and ${var} patterns
- Change extraction for rollback tracking
- Async context manager support
**ExecutorMetadata**: Version, capabilities, supported targets for discovery
### 3. Ansible Executor (backend/app/services/remediators/ansible_executor.py - 380 lines)
**Purpose**: Execute Ansible playbooks from string content
**Capabilities**:
- ✅ Dry-run (--check mode)
- ✅ Rollback support
- ✅ Idempotent operations
- ✅ Variable substitution (--extra-vars)
- ✅ Remote execution (SSH)
**Features**:
- Dynamic inventory generation (local or SSH targets)
- YAML validation via yaml.safe_load()
- SSH key management (temp files with 0600 permissions)
- Ansible output parsing (PLAY RECAP, changed counts)
- Change extraction from task output
- Timeout support with process cleanup
**Execution Flow**:
1. Validate playbook YAML structure
2. Generate inventory file (local or remote)
3. Write SSH key if provided
4. Build ansible-playbook command with --extra-vars, --check, --private-key
5. Execute with timeout
6. Parse PLAY RECAP for change counts
7. Extract changes for rollback tracking
**Example Command**:
```bash
ansible-playbook playbook.yml -i inventory.ini \
--extra-vars '{"var_tmout": "300"}' \
--check \
--private-key ssh_key \
-e ansible_host_key_checking=False
```
### 4. Bash Executor (backend/app/services/remediators/bash_executor.py - 380 lines)
**Purpose**: Execute bash scripts from string content
**Capabilities**:
- ✅ Variable substitution (export statements)
- ✅ Remote execution (SSH)
- ⚠️ Limited dry-run (syntax check only via bash -n)
- ⚠️ NOT idempotent by default
**Features**:
- Syntax validation: bash -n (noexec mode)
- Variable preparation: Prepends export statements
- Local execution: Direct bash script_file
- Remote execution: SSH with script piped to stdin
- Change extraction: Looks for "Changed:", "Modified:", "Created:" patterns
- Timeout support
**Script Preparation**:
```bash
#!/bin/bash
set -e # Exit on error
# Environment variables
export var_tmout='300'
export var_password_minlen='14'
# Remediation script
[original content]
```
**Remote Execution**:
```bash
ssh -i ssh_key -o StrictHostKeyChecking=no \
root@192.168.1.100 'bash -s' < script.sh
```
### 5. Executor Factory (backend/app/services/remediators/__init__.py - 180 lines)
**Purpose**: Registry and factory for executor instantiation
**Pattern**: Factory pattern with runtime registration
**Registry**:
- ansible: AnsibleExecutor
- bash: BashExecutor
- (Future): terraform, kubernetes, python
**Methods**:
- get_executor(type): Instantiate executor
- register_executor(type, class): Runtime plugin registration
- list_executors(available_only): Discovery
- get_executor_metadata(type): Capabilities, version, targets
- get_all_executor_metadata(): All registered executors
**Example**:
```python
executor = RemediationExecutorFactory.get_executor('ansible')
metadata = RemediationExecutorFactory.get_executor_metadata('ansible')
# {"name": "ansible", "version": "2.14.3", "capabilities": [...]}
```
### 6. Remediation Orchestrator (backend/app/services/remediation_orchestrator_service.py - 420 lines)
**Purpose**: Central coordinator for remediation lifecycle
**Workflow**:
1. Query rule from MongoDB
2. Extract remediation content and type
3. Prepare variables (defaults + overrides)
4. Get executor from factory
5. Execute remediation
6. Track status: PENDING → RUNNING → COMPLETED/FAILED
7. Generate rollback content if successful
8. Store RemediationResult in MongoDB
9. Add audit log entries
**Key Methods**:
- execute_remediation(): Single rule execution
- execute_bulk_remediation(): Batch execution from scan results
- Query failed rules from scan
- Execute each remediation sequentially
- Track job progress (completed/failed counts)
- Calculate success rate
- rollback_remediation(): Execute rollback content
- get_remediation_result(): Query by ID
- list_remediations(): Pagination and filtering
- get_remediation_statistics(): Aggregated stats
**Bulk Remediation Sources**:
1. scan_id: Remediate all failed rules from scan
2. rule_ids: Explicit list of rules
3. rule_filter: Query filter (e.g., {"severity": ["high"]})
**Variable Preparation**:
```python
# Start with rule defaults
if 'xccdf_variables' in rule:
for var_id, var_def in rule['xccdf_variables'].items():
variables[var_id] = var_def['default']
# Apply user overrides
variables.update(overrides)
```
### 7. Remediation API (backend/app/api/v1/endpoints/remediation_api.py - 420 lines)
**Purpose**: REST API for remediation operations
**Endpoints**:
- POST /api/v1/remediation/execute - Execute single remediation
- POST /api/v1/remediation/execute-bulk - Batch remediation
- GET /api/v1/remediation/{id} - Get result
- GET /api/v1/remediation/ - List with filters (status, scan_id, pagination)
- POST /api/v1/remediation/{id}/rollback - Rollback remediation
- DELETE /api/v1/remediation/{id} - Delete result
- GET /api/v1/remediation/statistics/summary - Aggregated stats
- GET /api/v1/remediation/executors/available - List executors
- GET /api/v1/remediation/jobs/{id} - Get bulk job status
**Authorization**:
- Users can only view/execute/rollback their own remediations
- Admins can access all remediations
**Query Parameters**:
- skip/limit: Pagination
- status: Filter by RemediationStatus
- scan_id: Filter by source scan
## API Usage Examples
### Execute Single Remediation
```bash
curl -X POST http://localhost:8000/api/v1/remediation/execute \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"rule_id": "xccdf_com.hanalyx.openwatch_rule_accounts_tmout",
"target": {
"type": "ssh_host",
"identifier": "192.168.1.100",
"credentials": {
"username": "root",
"ssh_key": "-----BEGIN OPENSSH PRIVATE KEY-----\n..."
}
},
"variable_overrides": {
"var_accounts_tmout": "300"
},
"dry_run": false
}'
```
### Bulk Remediation (Failed Rules from Scan)
```bash
curl -X POST http://localhost:8000/api/v1/remediation/execute-bulk \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"rule_filter": {
"severity": ["high", "critical"]
},
"target": {
"type": "ssh_host",
"identifier": "prod-web-01.example.com",
"credentials": {...}
},
"dry_run": true
}'
```
### Rollback Remediation
```bash
curl -X POST http://localhost:8000/api/v1/remediation/{id}/rollback \
-H "Authorization: Bearer $TOKEN"
```
### List Remediations
```bash
curl "http://localhost:8000/api/v1/remediation/?status=completed&limit=10" \
-H "Authorization: Bearer $TOKEN"
```
### Get Statistics
```bash
curl "http://localhost:8000/api/v1/remediation/statistics/summary?days=30" \
-H "Authorization: Bearer $TOKEN"
# Response:
{
"total": 150,
"completed": 120,
"failed": 20,
"success_rate": 80.0,
"by_executor": {"ansible": 100, "bash": 50}
}
```
### List Available Executors
```bash
curl http://localhost:8000/api/v1/remediation/executors/available \
-H "Authorization: Bearer $TOKEN"
# Response:
[
{
"name": "ansible",
"version": "2.14.3",
"capabilities": ["dry_run", "rollback", "idempotent"],
"available": true
}
]
```
## Remediation Execution Flow
```
API Request
↓
RemediationOrchestrator.execute_remediation()
↓
Query rule from MongoDB
↓
Extract remediation: {type: "ansible", content: "..."}
↓
Prepare variables: defaults + overrides
↓
RemediationExecutorFactory.get_executor(type)
↓
AnsibleExecutor.execute(content, target, variables, dry_run)
↓
1. Validate playbook YAML
2. Generate inventory file
3. Write SSH key (0600 permissions)
4. Build command: ansible-playbook --extra-vars --check --private-key
5. Execute with timeout
6. Parse PLAY RECAP for changes
↓
RemediationExecutionResult: {success, stdout, stderr, changes_made, duration}
↓
Update RemediationResult:
- status: RUNNING → COMPLETED/FAILED
- execution_result: {...}
- rollback_available: true (if changes made)
- rollback_content: "..." (future: auto-generated)
↓
Save to MongoDB
↓
Add audit log entry: "Completed"
↓
Return RemediationResult
```
## Executor Capabilities Matrix
| Executor | Dry-Run | Rollback | Idempotent | Variables | Remote | Version Detection |
|----------|---------|----------|------------|-----------|--------|-------------------|
| Ansible | ✅ Full | ✅ Yes | ✅ Yes | ✅ Yes | ✅ SSH | ansible-playbook --version |
| Bash | ⚠️ Syntax only | ✅ Yes | ❌ No | ✅ Yes | ✅ SSH | bash --version |
| Terraform (future) | ✅ Plan | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Providers | terraform version |
| Kubernetes (future) | ✅ --dry-run | ✅ Yes | ✅ Yes | ✅ Yes | ✅ kubectl | kubectl version |
## Security Considerations
1. **SSH Key Storage**:
- Temporary files with 0600 permissions
- Deleted after execution
- TODO: Encrypt in MongoDB (currently plaintext in credentials dict)
2. **Script Execution**:
- Bash scripts run with 'set -e' (exit on error)
- Ansible uses --check for dry-run validation
- Timeout enforcement prevents runaway processes
3. **Authorization**:
- Users can only access their own remediations
- Admins can access all
- Rollback requires original execution ownership
4. **Audit Trail**:
- All status changes logged with timestamps
- Username tracking: executed_by
- Complete stdout/stderr capture
## Dependencies
**Python Packages** (add to requirements.txt):
- ansible-core>=2.14.0 (for Ansible executor)
- paramiko>=3.0.0 (for SSH in Bash executor)
- pyyaml>=6.0 (for Ansible playbook parsing)
**System Tools**:
- ansible-playbook (Ansible executor)
- bash (Bash executor)
- ssh (remote execution)
## Known Limitations
1. **Rollback Generation**: Not yet implemented
- Currently returns None in _generate_rollback_content()
- Future: Parse changes_made and generate inverse operations
2. **Bash Idempotency**: Scripts are NOT idempotent by default
- Users must write idempotent scripts manually
- Consider adding idempotency wrappers (check-before-change)
3. **Ansible Vault**: Not yet implemented
- No support for encrypted playbooks or variables
- Future: Add --vault-password-file support
4. **Parallel Bulk Execution**: Sequential only
- execute_bulk_remediation() runs remediations one-by-one
- Future: Use asyncio.gather() for parallel execution
5. **Credential Encryption**: SSH keys stored plaintext in MongoDB
- TODO: Integrate with Fernet encryption (like scan credentials)
## Testing Strategy
**Unit Tests Needed**:
- Executor validation methods
- Variable substitution
- Change extraction from output
- Error handling (timeouts, invalid content)
**Integration Tests Needed**:
- Ansible playbook execution against test VM
- Bash script execution (local and remote)
- Rollback functionality
- Bulk remediation workflow
**E2E Tests**:
1. Scan → Identify Failed Rules
2. Remediate (dry-run=true) → Verify no changes
3. Remediate (dry-run=false) → Apply changes
4. Re-scan → Verify rules now pass
5. Rollback → Restore original state
6. Re-scan → Verify rules fail again
## Future Enhancements
1. **Additional Executors**:
- TerraformExecutor: Infrastructure remediation
- KubernetesExecutor: Manifest application
- PythonExecutor: Custom Python scripts
2. **Intelligent Rollback**:
- Parse execution output for changes
- Generate inverse operations automatically
- Store pre-remediation state snapshots
3. **Approval Workflow**:
- Require manual approval for production systems
- Multi-stage approval (dev → staging → prod)
4. **Parallel Execution**:
- Bulk remediation with asyncio.gather()
- Dependency resolution for ordered execution
5. **Remediation Templates**:
- Pre-built remediation content library
- Template variables with validation
## Phase 1 Status
✅ Completed (5/7 tasks):
1. ✅ Enhanced ComplianceRule Model (PR #95 - merged)
2. ✅ Enhanced SCAP Converter (PR #97 - pending)
3. ✅ XCCDF Generator (PR #99 - pending)
4. ✅ Scan Service (PR #101 - pending)
5. ✅ **ORSA Remediation Engine (this commit)**
🚧 Remaining (2/7 tasks):
6. ⏳ Scan Configuration API (3-4 days)
7. ⏳ Frontend Variable Customization UI (5-7 days)
## Related Issues
- Implements: #102
- Depends on: #96 (PR #97 - remediation field)
- Blocks: #6 (Scan Configuration API)
Co-Authored-By: Claude <noreply@anthropic.com>
This was referenced Oct 15, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements Phase 1, Issue #2 of the 7-phase hybrid scanning architecture plan. Enhances the SCAP-to-OpenWatch converter to extract XCCDF variables and remediation content from SCAP YAML rules.
Related Issues
Changes
1. New SCAP YAML Parser Service (
scap_yaml_parser_service.py)XCCDFVariableExtractor:
RemediationExtractor:
ScannerTypeDetector:
2. Enhanced SCAP Converter Updates
Added CLI flags:
Populates Phase 1 fields (from PR #95):
Testing
Test 1: Kubernetes Rule (OpenShift Registry)
Input: `ocp_insecure_allowed_registries_for_import/rule.yml`
Output:
```json
{
"scanner_type": "kubernetes",
"xccdf_variables": {
"check_existence": {
"id": "check_existence",
"type": "string",
"default_value": "any_exist",
"interactive": true,
"sensitive": false
},
"values": {
"id": "values",
"type": "string",
"default_value": "[{'value': 'true', 'type': 'boolean', 'operation': 'not equal'}]"
}
}
}
```
✅ Scanner type correctly detected as kubernetes
✅ Template variables extracted
Test 2: Mock Sysctl Rule (IP Forwarding)
Input:
```yaml
template:
name: sysctl
vars:
sysctlvar: net.ipv4.ip_forward
sysctlval: '0'
```
Output:
```json
{
"scanner_type": "oscap",
"xccdf_variables": {
"sysctlvar": {
"id": "sysctlvar",
"type": "string",
"default_value": "net.ipv4.ip_forward"
},
"sysctlval": {
"id": "sysctlval",
"type": "boolean",
"default_value": "0"
}
},
"remediation": {
"ansible": "- name: Apply ansible.posix.sysctl configuration\n ansible.posix.sysctl:\n name: net.ipv4.ip_forward\n value: '0'\n state: present\n reload: true\n",
"bash": "#!/bin/bash\n# Apply sysctl configuration\n\nsysctl -w net.ipv4.ip_forward=0\necho "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf"
}
}
```
✅ Type inference (sysctlval detected as boolean from '0')
✅ Ansible task generated with correct module (ansible.posix.sysctl)
✅ Bash script generated with sysctl commands
Usage
```bash
Extract variables only
python -m backend.app.cli.scap_to_openwatch_converter_enhanced convert \
--scap-path /path/to/scap/content \
--output-path /output/dir \
--format json \
--extract-variables
Extract variables + remediation
python -m backend.app.cli.scap_to_openwatch_converter_enhanced convert \
--scap-path /path/to/scap/content \
--output-path /output/dir \
--format json \
--extract-variables \
--extract-remediation
Dry-run to see what would be extracted
python -m backend.app.cli.scap_to_openwatch_converter_enhanced convert \
--dry-run \
--extract-variables \
--extract-remediation
```
Backward Compatibility
✅ 100% Backward Compatible
Implementation Notes
Variable Type Inference
Constraint Detection
Remediation Mapping
Next Steps
After this PR merges:
Issue chore(deps): bump azure/setup-kubectl from 3 to 4 #3: XCCDF Data-Stream Generator from MongoDB
Issue chore(deps): bump actions/download-artifact from 3 to 5 #4: MongoDB-Based Scan Service
Bundle Regeneration: Regenerate openwatch-compliance bundle with variables
Documentation
See:
Checklist
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com