On 12/9/16 6:24 PM, kelly.kaldenberg@saic.com wrote:
I have tried importing the outputs into Security Center following the guidance from Tenable.
http://static.tenable.com/prod_docs/SecurityCenter_5.0_SCAP_Assessments.pdf
The problem I encounter is that the scan returns with an "XML Validation Failed" message on the information module. I tried importing the SCAP content into a Nessus scanner breaking up the SCAP and OVAL content, but again, the scan fails.Tenable does not provide much information as to why the XML validation failed on the SCAP content.
I have successfully imported the DISA STIG for RHEL 7 and run in Security Center, but the DISA version is not structured for automated checks. That scan shows all the controls, but with a "Not Checked" status requiring manual review.
Well this is no good. The Tenable team has been very good about supporting SCAP, including getting Security Center SCAP 1.2 certified: https://www.tenable.com/blog/tenable-s-securitycenter-5-achieves-scap-12-cer...
Even made sure the OpenSCAP JBoss content could be ingested with their tools a few years ago: https://community.tenable.com/thread/5914
I reached out to Ron offline asking who we could work with at Tenable to troubleshoot.
FYI @Martin - CC'd you on that note.