Thanks Shawn, I have used NIST content validation and realized the test passed for ssg-rhel6-ds.xml (downloaded from https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip) However Nessus SCAP scanning gives error as "Default namespace not found in OVAL" I am checking with Nessus tech support team
Thanks, Riaz On Tue, Apr 30, 2019 at 12:16 AM Shawn Wells <sh...@redhat.com> wrote: > Would need to understand where the content is coming from. Perhaps > scap-security-guide in RHEL, and if so, what RHEL and SSG version? > > Note red hat doesn’t publish rhel6 content in the National Checklist > Program since rhel6 is out of active maintenance: > > https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0 > > Once the content source/version version is identified , the content can be > ran through the NIST content validator tooling to see if there are problems > with the content itself. > > > > On Apr 29, 2019, at 11:19 AM, Jan Cerny <jce...@redhat.com> wrote: > > Hi, > > I have no idea. Does Nessus have any "verbose" mode to get more > helpful error message? > > Including scap-security-guide list in this conversation because there > might be people familiar with using SSG with Nessus. > > Regards > > On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim <mriazebrah...@gmail.com> > wrote: > > > Hi Jan Cerny, > > > Thanks a lot for your response, Your answer was very useful to understand > about SSG files. As per your advice i tried with > scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, > but encountering new error as below from nessus > > > "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL" > > > Do you get any clue by seeing this error?. Thanks in advance :) > > > Thanks, > > Riaz > > > On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny <jce...@redhat.com> wrote: > > > Hi, > > > I will try to answer, but I don't use Nessus, so I'm not sure what is > > the exact reason of this fail. > > > In general, the SSG files are validated against SCAP XML schemas, so > > they are valid SCAP content. > > However, SCAP standard consist of multiple separate specifications. > > Strictly speaking, the SSG datastream > > doesn't conform to SCAP 1.2 specification, because the datastream > > contains OVAL checks conforming to OVAL > > version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it > > would need to use OVAL checks > > in version 5.10 or older. > > > According to this forum thread, it seems that Nessus doesn't support > > OVAL 5.11 it yet, but they say it's planned to be updated > > > https://community.tenable.com/s/question/0D5f200005hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work > > > It could be a problem that Nessus expects datastreams that contain > > OVAL 5.10 only. > > Try using the SSG datastreams that contain OVAL 5.10 only. They can be > > downloaded from > > > https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip > > I hope Nessus should be able to consume these files. > > > The reason why we use 5.11 is that it contains new checks that allows > > us to check easily system services using systemd > > and other new things introduced in RHEL 7. The aforementioned > > datastreams that contain OVAL 5.10 only > > have limited abilities in comparison with those containing OVAL 5.11. > > > Best Regards > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim <mriazebrah...@gmail.com> > wrote: > > > I need help on openscap SSG project. > > > I am currently exploring SCAP Auditing feature from Nessus console. I > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can > be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) > based on the target host version. This works great, However when i use SCAP > from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as > “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . > > > I would like to what is the difference between openSSG scap data stream & > scap1.2 content downloaded from NIST repository. How i can convert openssg > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. > > > > My objective - To use openscap SSG from Nessus. Nessus scap scanning > expects SCAP 1.0, 1.1 or 1.2 content(in zip format). > > > > Thanks in advance! > > > _______________________________________________ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > _______________________________________________ > scap-security-guide mailing list -- > scap-security-gu...@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org > >
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list