Hi, I have no idea. Does Nessus have any "verbose" mode to get more helpful error message?
Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus. Regards On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim <[email protected]> wrote: > > Hi Jan Cerny, > > Thanks a lot for your response, Your answer was very useful to understand > about SSG files. As per your advice i tried with > scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, > but encountering new error as below from nessus > > "ssg-rhel6-ds-1.zip : Default namespace not found in OVAL" > > Do you get any clue by seeing this error?. Thanks in advance :) > > Thanks, > Riaz > > On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny <[email protected]> wrote: >> >> Hi, >> >> I will try to answer, but I don't use Nessus, so I'm not sure what is >> the exact reason of this fail. >> >> In general, the SSG files are validated against SCAP XML schemas, so >> they are valid SCAP content. >> However, SCAP standard consist of multiple separate specifications. >> Strictly speaking, the SSG datastream >> doesn't conform to SCAP 1.2 specification, because the datastream >> contains OVAL checks conforming to OVAL >> version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it >> would need to use OVAL checks >> in version 5.10 or older. >> >> According to this forum thread, it seems that Nessus doesn't support >> OVAL 5.11 it yet, but they say it's planned to be updated >> https://community.tenable.com/s/question/0D5f200005hKRwqCAG/nessus-pro-7-trouble-getting-oval-scans-to-work >> >> It could be a problem that Nessus expects datastreams that contain >> OVAL 5.10 only. >> Try using the SSG datastreams that contain OVAL 5.10 only. They can be >> downloaded from >> https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip >> I hope Nessus should be able to consume these files. >> >> The reason why we use 5.11 is that it contains new checks that allows >> us to check easily system services using systemd >> and other new things introduced in RHEL 7. The aforementioned >> datastreams that contain OVAL 5.10 only >> have limited abilities in comparison with those containing OVAL 5.11. >> >> Best Regards >> >> Jan Černý >> Security Technologies | Red Hat, Inc. >> >> >> On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim <[email protected]> wrote: >> > >> > I need help on openscap SSG project. >> > >> > I am currently exploring SCAP Auditing feature from Nessus console. I >> > understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can >> > be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) >> > based on the target host version. This works great, However when i use >> > SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as >> > “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” . >> > >> > I would like to what is the difference between openSSG scap data stream & >> > scap1.2 content downloaded from NIST repository. How i can convert openssg >> > data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format. >> > >> > >> > My objective - To use openscap SSG from Nessus. Nessus scap scanning >> > expects SCAP 1.0, 1.1 or 1.2 content(in zip format). >> > >> > >> > Thanks in advance! >> > >> > _______________________________________________ >> > Open-scap-list mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/open-scap-list -- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
