Hi,

I have no idea. Does Nessus have any "verbose" mode to get more
helpful error message?

Including scap-security-guide list in this conversation because there
might be people familiar with using SSG with Nessus.

Regards

On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim <mriazebrah...@gmail.com> wrote:
>
> Hi Jan Cerny,
>
> Thanks a lot for your response, Your answer was very useful to understand 
> about SSG files. As per your advice i tried with 
> scap-security-guide-0.1.43-oval-510.zip  and XML validation error was gone, 
> but encountering new error as below from nessus
>
> "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL"
>
> Do you get any clue by seeing this error?. Thanks in advance :)
>
> Thanks,
> Riaz
>
> On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny <jce...@redhat.com> wrote:
>>
>> Hi,
>>
>> I will try to answer, but I don't use Nessus, so I'm not sure what is
>> the exact reason of this fail.
>>
>> In general, the SSG files are validated against SCAP XML schemas, so
>> they are valid SCAP content.
>> However, SCAP standard consist of multiple separate specifications.
>> Strictly speaking, the SSG datastream
>> doesn't conform to SCAP 1.2 specification, because the datastream
>> contains OVAL checks conforming to OVAL
>> version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it
>> would need to use OVAL checks
>> in version 5.10 or older.
>>
>> According to this forum thread, it seems that Nessus doesn't support
>> OVAL 5.11 it yet, but they say it's planned to be updated
>> https://community.tenable.com/s/question/0D5f200005hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work
>>
>> It could be a problem that Nessus expects datastreams that  contain
>> OVAL 5.10 only.
>> Try using the SSG datastreams that contain OVAL 5.10 only. They can be
>> downloaded from
>> https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip
>> I hope Nessus should be able to consume these files.
>>
>> The reason why we use 5.11 is that it contains new checks that allows
>> us to check easily system services using systemd
>> and other new things introduced in RHEL 7. The aforementioned
>> datastreams that contain OVAL 5.10 only
>> have limited abilities in comparison with those containing OVAL 5.11.
>>
>> Best Regards
>>
>> Jan Černý
>> Security Technologies | Red Hat, Inc.
>>
>>
>> On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim <mriazebrah...@gmail.com> wrote:
>> >
>> > I need help on openscap SSG project.
>> >
>> > I am currently exploring SCAP Auditing feature from Nessus console. I 
>> > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can 
>> > be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) 
>> > based on the target host version. This works great, However when i use 
>> > SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as 
>> > “sg-rhel6-ds. .zip :  sg-rhel6-ds.xml failed XML Schema validation” .
>> >
>> > I would like to what is the difference between openSSG scap data stream &  
>> > scap1.2 content downloaded from NIST repository. How i can convert openssg 
>> > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format.
>> >
>> >
>> > My objective - To use openscap SSG from Nessus. Nessus scap scanning 
>> > expects SCAP 1.0, 1.1 or 1.2 content(in zip format).
>> >
>> >
>> > Thanks in advance!
>> >
>> > _______________________________________________
>> > Open-scap-list mailing list
>> > Open-scap-list@redhat.com
>> > https://www.redhat.com/mailman/listinfo/open-scap-list



--
Jan Černý
Security Technologies | Red Hat, Inc.

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to