Re: [Open-scap] Need help on openscap SSG question
Thanks Shawn, I have used NIST content validation and realized the test passed for ssg-rhel6-ds.xml (downloaded from https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip) However Nessus SCAP scanning gives error as "Default namespace not found in OVAL" I am checking with Nessus tech support team Thanks, Riaz On Tue, Apr 30, 2019 at 12:16 AM Shawn Wells wrote: > Would need to understand where the content is coming from. Perhaps > scap-security-guide in RHEL, and if so, what RHEL and SSG version? > > Note red hat doesn’t publish rhel6 content in the National Checklist > Program since rhel6 is out of active maintenance: > > https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0 > > Once the content source/version version is identified , the content can be > ran through the NIST content validator tooling to see if there are problems > with the content itself. > > > > On Apr 29, 2019, at 11:19 AM, Jan Cerny wrote: > > Hi, > > I have no idea. Does Nessus have any "verbose" mode to get more > helpful error message? > > Including scap-security-guide list in this conversation because there > might be people familiar with using SSG with Nessus. > > Regards > > On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim > wrote: > > > Hi Jan Cerny, > > > Thanks a lot for your response, Your answer was very useful to understand > about SSG files. As per your advice i tried with > scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, > but encountering new error as below from nessus > > > "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL" > > > Do you get any clue by seeing this error?. Thanks in advance :) > > > Thanks, > > Riaz > > > On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny wrote: > > > Hi, > > > I will try to answer, but I don't use Nessus, so I'm not sure what is > > the exact reason of this fail. > > > In general, the SSG files are validated against SCAP XML schemas, so > > they are valid SCAP content. > > However, SCAP standard consist of multiple separate specifications. > > Strictly speaking, the SSG datastream > > doesn't conform to SCAP 1.2 specification, because the datastream > > contains OVAL checks conforming to OVAL > > version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it > > would need to use OVAL checks > > in version 5.10 or older. > > > According to this forum thread, it seems that Nessus doesn't support > > OVAL 5.11 it yet, but they say it's planned to be updated > > > https://community.tenable.com/s/question/0D5f25hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work > > > It could be a problem that Nessus expects datastreams that contain > > OVAL 5.10 only. > > Try using the SSG datastreams that contain OVAL 5.10 only. They can be > > downloaded from > > > https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip > > I hope Nessus should be able to consume these files. > > > The reason why we use 5.11 is that it contains new checks that allows > > us to check easily system services using systemd > > and other new things introduced in RHEL 7. The aforementioned > > datastreams that contain OVAL 5.10 only > > have limited abilities in comparison with those containing OVAL 5.11. > > > Best Regards > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim > wrote: > > > I need help on openscap SSG project. > > > I am currently exploring SCAP Auditing feature from Nessus console. I > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can > be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) > based on the target host version. This works great, However when i use SCAP > from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as > “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . > > > I would like to what is the difference between openSSG scap data stream & > scap1.2 content downloaded from NIST repository. How i can convert openssg > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. > > > > My objective - To use openscap SSG from Nessus. Nessus scap scanning > expects SCAP 1.0, 1.1 or 1.2 content(in zip format). > > > > Thanks in advance! > > > ___ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > ___ > scap-security-guide mailing list -- > scap-security-gu...@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap
Re: [Open-scap] Need help on openscap SSG question
Would need to understand where the content is coming from. Perhaps scap-security-guide in RHEL, and if so, what RHEL and SSG version? Note red hat doesn’t publish rhel6 content in the National Checklist Program since rhel6 is out of active maintenance: https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0 Once the content source/version version is identified , the content can be ran through the NIST content validator tooling to see if there are problems with the content itself. > On Apr 29, 2019, at 11:19 AM, Jan Cerny wrote: > > Hi, > > I have no idea. Does Nessus have any "verbose" mode to get more > helpful error message? > > Including scap-security-guide list in this conversation because there > might be people familiar with using SSG with Nessus. > > Regards > >> On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim wrote: >> >> Hi Jan Cerny, >> >> Thanks a lot for your response, Your answer was very useful to understand >> about SSG files. As per your advice i tried with >> scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, >> but encountering new error as below from nessus >> >> "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL" >> >> Do you get any clue by seeing this error?. Thanks in advance :) >> >> Thanks, >> Riaz >> >>> On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny wrote: >>> >>> Hi, >>> >>> I will try to answer, but I don't use Nessus, so I'm not sure what is >>> the exact reason of this fail. >>> >>> In general, the SSG files are validated against SCAP XML schemas, so >>> they are valid SCAP content. >>> However, SCAP standard consist of multiple separate specifications. >>> Strictly speaking, the SSG datastream >>> doesn't conform to SCAP 1.2 specification, because the datastream >>> contains OVAL checks conforming to OVAL >>> version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it >>> would need to use OVAL checks >>> in version 5.10 or older. >>> >>> According to this forum thread, it seems that Nessus doesn't support >>> OVAL 5.11 it yet, but they say it's planned to be updated >>> https://community.tenable.com/s/question/0D5f25hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work >>> >>> It could be a problem that Nessus expects datastreams that contain >>> OVAL 5.10 only. >>> Try using the SSG datastreams that contain OVAL 5.10 only. They can be >>> downloaded from >>> https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip >>> I hope Nessus should be able to consume these files. >>> >>> The reason why we use 5.11 is that it contains new checks that allows >>> us to check easily system services using systemd >>> and other new things introduced in RHEL 7. The aforementioned >>> datastreams that contain OVAL 5.10 only >>> have limited abilities in comparison with those containing OVAL 5.11. >>> >>> Best Regards >>> >>> Jan Černý >>> Security Technologies | Red Hat, Inc. >>> >>> On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim wrote: I need help on openscap SSG project. I am currently exploring SCAP Auditing feature from Nessus console. I understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based on the target host version. This works great, However when i use SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . I would like to what is the difference between openSSG scap data stream & scap1.2 content downloaded from NIST repository. How i can convert openssg data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. My objective - To use openscap SSG from Nessus. Nessus scap scanning expects SCAP 1.0, 1.1 or 1.2 content(in zip format). Thanks in advance! ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > ___ > scap-security-guide mailing list -- scap-security-gu...@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Need help on openscap SSG question
Hi, I have no idea. Does Nessus have any "verbose" mode to get more helpful error message? Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus. Regards On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim wrote: > > Hi Jan Cerny, > > Thanks a lot for your response, Your answer was very useful to understand > about SSG files. As per your advice i tried with > scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, > but encountering new error as below from nessus > > "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL" > > Do you get any clue by seeing this error?. Thanks in advance :) > > Thanks, > Riaz > > On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny wrote: >> >> Hi, >> >> I will try to answer, but I don't use Nessus, so I'm not sure what is >> the exact reason of this fail. >> >> In general, the SSG files are validated against SCAP XML schemas, so >> they are valid SCAP content. >> However, SCAP standard consist of multiple separate specifications. >> Strictly speaking, the SSG datastream >> doesn't conform to SCAP 1.2 specification, because the datastream >> contains OVAL checks conforming to OVAL >> version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it >> would need to use OVAL checks >> in version 5.10 or older. >> >> According to this forum thread, it seems that Nessus doesn't support >> OVAL 5.11 it yet, but they say it's planned to be updated >> https://community.tenable.com/s/question/0D5f25hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work >> >> It could be a problem that Nessus expects datastreams that contain >> OVAL 5.10 only. >> Try using the SSG datastreams that contain OVAL 5.10 only. They can be >> downloaded from >> https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip >> I hope Nessus should be able to consume these files. >> >> The reason why we use 5.11 is that it contains new checks that allows >> us to check easily system services using systemd >> and other new things introduced in RHEL 7. The aforementioned >> datastreams that contain OVAL 5.10 only >> have limited abilities in comparison with those containing OVAL 5.11. >> >> Best Regards >> >> Jan Černý >> Security Technologies | Red Hat, Inc. >> >> >> On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim wrote: >> > >> > I need help on openscap SSG project. >> > >> > I am currently exploring SCAP Auditing feature from Nessus console. I >> > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can >> > be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) >> > based on the target host version. This works great, However when i use >> > SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as >> > “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . >> > >> > I would like to what is the difference between openSSG scap data stream & >> > scap1.2 content downloaded from NIST repository. How i can convert openssg >> > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. >> > >> > >> > My objective - To use openscap SSG from Nessus. Nessus scap scanning >> > expects SCAP 1.0, 1.1 or 1.2 content(in zip format). >> > >> > >> > Thanks in advance! >> > >> > ___ >> > Open-scap-list mailing list >> > Open-scap-list@redhat.com >> > https://www.redhat.com/mailman/listinfo/open-scap-list -- Jan Černý Security Technologies | Red Hat, Inc. ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Need help on openscap SSG question
Hi, I will try to answer, but I don't use Nessus, so I'm not sure what is the exact reason of this fail. In general, the SSG files are validated against SCAP XML schemas, so they are valid SCAP content. However, SCAP standard consist of multiple separate specifications. Strictly speaking, the SSG datastream doesn't conform to SCAP 1.2 specification, because the datastream contains OVAL checks conforming to OVAL version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it would need to use OVAL checks in version 5.10 or older. According to this forum thread, it seems that Nessus doesn't support OVAL 5.11 it yet, but they say it's planned to be updated https://community.tenable.com/s/question/0D5f25hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work It could be a problem that Nessus expects datastreams that contain OVAL 5.10 only. Try using the SSG datastreams that contain OVAL 5.10 only. They can be downloaded from https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip I hope Nessus should be able to consume these files. The reason why we use 5.11 is that it contains new checks that allows us to check easily system services using systemd and other new things introduced in RHEL 7. The aforementioned datastreams that contain OVAL 5.10 only have limited abilities in comparison with those containing OVAL 5.11. Best Regards Jan Černý Security Technologies | Red Hat, Inc. On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim wrote: > > I need help on openscap SSG project. > > I am currently exploring SCAP Auditing feature from Nessus console. I > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be > downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based > on the target host version. This works great, However when i use SCAP from > OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as > “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . > > I would like to what is the difference between openSSG scap data stream & > scap1.2 content downloaded from NIST repository. How i can convert openssg > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. > > > My objective - To use openscap SSG from Nessus. Nessus scap scanning expects > SCAP 1.0, 1.1 or 1.2 content(in zip format). > > > Thanks in advance! > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Need help on openscap SSG question
I need help on openscap SSG project. I am currently exploring SCAP Auditing feature from Nessus console. I understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based on the target host version. This works great, However when i use SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . I would like to what is the difference between openSSG scap data stream & scap1.2 content downloaded from NIST repository. How i can convert openssg data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. My objective - To use openscap SSG from Nessus. Nessus scap scanning expects SCAP 1.0, 1.1 or 1.2 content(in zip format). Thanks in advance! ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list