Hi,
I have no idea. Does Nessus have any "verbose" mode to get more helpful error message?
Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus.
Regards
On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim mriazebrahim1@gmail.com wrote:
Hi Jan Cerny,
Thanks a lot for your response, Your answer was very useful to understand about SSG files. As per your advice i tried with scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, but encountering new error as below from nessus
"ssg-rhel6-ds-1.zip : Default namespace not found in OVAL"
Do you get any clue by seeing this error?. Thanks in advance :)
Thanks, Riaz
On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny jcerny@redhat.com wrote:
Hi,
I will try to answer, but I don't use Nessus, so I'm not sure what is the exact reason of this fail.
In general, the SSG files are validated against SCAP XML schemas, so they are valid SCAP content. However, SCAP standard consist of multiple separate specifications. Strictly speaking, the SSG datastream doesn't conform to SCAP 1.2 specification, because the datastream contains OVAL checks conforming to OVAL version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it would need to use OVAL checks in version 5.10 or older.
According to this forum thread, it seems that Nessus doesn't support OVAL 5.11 it yet, but they say it's planned to be updated https://community.tenable.com/s/question/0D5f200005hKRwqCAG/nessus-pro-7-tro...
It could be a problem that Nessus expects datastreams that contain OVAL 5.10 only. Try using the SSG datastreams that contain OVAL 5.10 only. They can be downloaded from https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-s... I hope Nessus should be able to consume these files.
The reason why we use 5.11 is that it contains new checks that allows us to check easily system services using systemd and other new things introduced in RHEL 7. The aforementioned datastreams that contain OVAL 5.10 only have limited abilities in comparison with those containing OVAL 5.11.
Best Regards
Jan Černý Security Technologies | Red Hat, Inc.
On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim mriazebrahim1@gmail.com wrote:
I need help on openscap SSG project.
I am currently exploring SCAP Auditing feature from Nessus console. I understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based on the target host version. This works great, However when i use SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” .
I would like to what is the difference between openSSG scap data stream & scap1.2 content downloaded from NIST repository. How i can convert openssg data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format.
My objective - To use openscap SSG from Nessus. Nessus scap scanning expects SCAP 1.0, 1.1 or 1.2 content(in zip format).
Thanks in advance!
Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
-- Jan Černý Security Technologies | Red Hat, Inc.
Would need to understand where the content is coming from. Perhaps scap-security-guide in RHEL, and if so, what RHEL and SSG version?
Note red hat doesn’t publish rhel6 content in the National Checklist Program since rhel6 is out of active maintenance:
https://nvd.nist.gov/ncp/repository?authority=Red+Hat&startIndex=0
Once the content source/version version is identified , the content can be ran through the NIST content validator tooling to see if there are problems with the content itself.
On Apr 29, 2019, at 11:19 AM, Jan Cerny jcerny@redhat.com wrote:
Hi,
I have no idea. Does Nessus have any "verbose" mode to get more helpful error message?
Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus.
Regards
On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim mriazebrahim1@gmail.com wrote:
Hi Jan Cerny,
Thanks a lot for your response, Your answer was very useful to understand about SSG files. As per your advice i tried with scap-security-guide-0.1.43-oval-510.zip and XML validation error was gone, but encountering new error as below from nessus
"ssg-rhel6-ds-1.zip : Default namespace not found in OVAL"
Do you get any clue by seeing this error?. Thanks in advance :)
Thanks, Riaz
On Mon, Apr 29, 2019 at 2:44 PM Jan Cerny jcerny@redhat.com wrote:
Hi,
I will try to answer, but I don't use Nessus, so I'm not sure what is the exact reason of this fail.
In general, the SSG files are validated against SCAP XML schemas, so they are valid SCAP content. However, SCAP standard consist of multiple separate specifications. Strictly speaking, the SSG datastream doesn't conform to SCAP 1.2 specification, because the datastream contains OVAL checks conforming to OVAL version 5.11 which is a part of SCAP 1.3. For SCAP 1.2 conformance it would need to use OVAL checks in version 5.10 or older.
According to this forum thread, it seems that Nessus doesn't support OVAL 5.11 it yet, but they say it's planned to be updated https://community.tenable.com/s/question/0D5f200005hKRwqCAG/nessus-pro-7-tro...
It could be a problem that Nessus expects datastreams that contain OVAL 5.10 only. Try using the SSG datastreams that contain OVAL 5.10 only. They can be downloaded from https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-s... I hope Nessus should be able to consume these files.
The reason why we use 5.11 is that it contains new checks that allows us to check easily system services using systemd and other new things introduced in RHEL 7. The aforementioned datastreams that contain OVAL 5.10 only have limited abilities in comparison with those containing OVAL 5.11.
Best Regards
Jan Černý Security Technologies | Red Hat, Inc.
On Sat, Apr 27, 2019 at 6:34 AM Riaz Ebrahim mriazebrahim1@gmail.com wrote:
I need help on openscap SSG project.
I am currently exploring SCAP Auditing feature from Nessus console. I understood that Nessus supports SCAP Content (1.0 or 1.1 or 1.2) which can be downloaded from NIST repository (https://nvd.nist.gov/ncp/repository) based on the target host version. This works great, However when i use SCAP from OpenSCAP SSG (example "ssg-rhel6-ds.xml”), i am getting error as “sg-rhel6-ds. .zip : sg-rhel6-ds.xml failed XML Schema validation” .
I would like to what is the difference between openSSG scap data stream & scap1.2 content downloaded from NIST repository. How i can convert openssg data stream (Example - ssg-rhel6-ds.xml) to NIST scap 1.2 format.
My objective - To use openscap SSG from Nessus. Nessus scap scanning expects SCAP 1.0, 1.1 or 1.2 content(in zip format).
Thanks in advance!
Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
-- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org
-
Jan Cerny -
Shawn Wells