Vulnerability assessment (VA) policies : VA user-defined policies : Adding user-defined policies
 
Adding user-defined policies
1. Go to Policy> VA Policies of the left-side menu.
2. Select the User-Defined Policies tab.
3. Select the Add button.
4. Fill in the appropriate fields. Some of the fields to note are:
Field Name
Descriptions
ID
Enter a unique designator that can include any character, including alphanumerics, special characters, and white spaces.
SQL query
Enter the query that will be used when this User-Defined Policy is applied during an assessment.
Result Column Name(s)
Entries in this field are the column names referred to in the SQL query field. Multiple entries are delimited by semicolons.
The names can either be actual column names in your query, like empno in 'SELECT empno FROM scott.emp' or aliases like enumber in 'SELECT empno AS " enumber1"FROM scott.emp'
You can use the '*' column wild card in your queries; however, you must separately specify the name of each column for which you want report results. If, for example, you use 'SELECT * FROM scott.emp' against an Oracle target database, you must enter "empno;ename;job;mgr;hiredate;sal;comm;deptno" in this field in order to get a report on all columns in scott.emp
Note: Do not put spaces before or after the semicolons unless your aliased column names also have leading or trailing spaces, respectively.
Result Column Label(s)
Entries in this field are the column names that you would like to see in your reports. Multiple entries are delimited by semicolons.
Note: If you don't populate this field, your report's column headers will be the entries used for the Result Column Name(s) field.
Keywords
Entries in this field can be used when using a filter to create policy groups.

1 Leading or trailing spaces in the alias expression must also be specified in this field for the column's values to appear in your report. For example, assume there are two leading spaces in" enumber"; both spaces must be included in your Result Column Name(s)* entry.

5. Select the Save button.
Here is an Oracle example, which assumes you have access to the SCOTT schema:
a. Create a policy with these entries:
ID: unique designator
Name: myOracleUDP1
Database type: Oracle
SQL query: SELECT empno, ename from scott.emp
Result Column Name(s): empno;ename
Result Column Label(s): Employee Number;Employee Name
Severity: Informational
Classification: Unclassified
b. Select the Save in order to save myOracleUDP1.
c. Create a policy group, myUDPGroup, containing the new policy.
d. Create an assessment that runs against an Oracle target group and which uses myUDPGroup.
e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section:
Employee Number 7369 Employee Name: SMITH
Here is another, slightly different, Oracle example, which uses column-name aliasing and, again, assumes you have access to the SCOTT schema:
a. Create a policy with these entries:
ID: can be any value
Name: myOracleUDP2
Database type: Oracle
SQL query: SELECT empno as "EmpID", ename as "Worker" from scott.emp
Result Column Name(s): EmpID;Worker
Result Column Label(s): Employee Number;Employee Name
Severity: Informational
Classification: Unclassified
b. Select the Save in order to save myOracleUDP1.
c. Create a policy group, myUDPGroup, containing the new policy.
d. Create an assessment that runs against an Oracle target group and which uses myUDPGroup.
e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section:
Employee Number 7369 Employee Name: SMITH
See also
VA user-defined policies
Deleting user-defined policies
Exporting user-defined policies
Importing user-defined policies