I will try to answer, but I don't use Nessus, so I'm not sure what is
the exact reason of this fail.

In general, the SSG files are validated against SCAP XML schemas, so
they are valid SCAP content.
However, SCAP standard consist of multiple separate specifications.
Strictly speaking, the SSG datastream
doesn't conform to SCAP 1.2 specification, because the datastream
contains OVAL checks conforming to OVAL
version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it
would need to use OVAL checks
in version 5.10 or older.

According to this forum thread, it seems that Nessus doesn't support
OVAL 5.11 it yet, but they say it's planned to be updated

It could be a problem that Nessus expects datastreams that  contain
OVAL 5.10 only.
Try using the SSG datastreams that contain OVAL 5.10 only. They can be
downloaded from
I hope Nessus should be able to consume these files.

The reason why we use 5.11 is that it contains new checks that allows
us to check easily system services using systemd
and other new things introduced in RHEL 7. The aforementioned
datastreams that contain OVAL 5.10 only
have limited abilities in comparison with those containing OVAL 5.11.

Best Regards

Jan Černý
Security Technologies | Red Hat, Inc.

On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim <mriazebrah...@gmail.com> wrote:
> I need help on openscap SSG project.
> I am currently exploring SCAP Auditing feature from Nessus console. I 
> understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be 
> downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based 
> on the target host version. This works great, However when i use SCAP from 
> OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as 
> “sg-rhel6-ds. .zip :  sg-rhel6-ds.xml failed XML Schema validation” .
> I would like to what is the difference between openSSG scap data stream &  
> scap1.2 content downloaded from NIST repository. How i can convert openssg 
> data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format.
> My objective - To use openscap SSG from Nessus. Nessus scap scanning expects 
> SCAP 1.0, 1.1 or 1.2 content(in zip format).
> Thanks in advance!
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

Open-scap-list mailing list

Reply via email to