The following steps should get you up and running with a policy scan against an Oracle database server.

Configure the oracle.xml File

You need to edit the policy configuration file provided in a default Nexpose installation. The file is located here:

  • [installation_directory]/plugins/java/1/OraclePolicyScanner/1/oracle.xml

Create a backup of the file and make the following modifications to the XML:

  • Update the description (line 2) to something more appropriate. I used Oracle 11i Security Policy.
  • Modify the **version regex **(line 5) to something more appropriate. I used .* to just go ahead and match anything. If you are only scanning version 11i, feel free to use ^11.*.
  • Modify the remote_os_authent (line 66) to TRUE.

Other modifications can be made to fine-tune the policy, but this should get you up and running.

Set up Scan Template in UI

You can do the following:

  • From the _Administration _tab, click manage Scan Templates.
    • Copy the Exhaustive template.
    • Rename template to "Oracle Policy Scan" and add a Description__.
    • Uncheck Web Spidering (this step isn't absolutely necessary, but it will slow down your scanning if you don't need it).
    • Go to the Vulnerability Checks section.
      • Select Perform unsafe checks to on.
      • Select Include potential vulnerability checks to on.
    • Go to the Oracle Policy section.
      • Enter the Policy file name(s) of the policy file you have already created. Default is oracle.xml.
    • Save the scan template.

Configure a Site

Set up a Site to scan an Oracle database using your new policy.

  • Under Scan Setup, select the "Oracle Policy Scan" template you created in the previous step.
  • Under Credentials, create a new Oracle credential, and enter the appropriate information. Here is my sample:
    • Logon type => Oracle
    • SID => test (name of the database you've set up previously)
    • Username => sys as sysdba
    • Password =>
    • Asset to test against => (IP or hostname of the server)
    • Port to test against => 1521
  • Make sure to Test your credentials. If this is configured correctly, you should be able to get a successful test here. If not, do not proceed until you do.

Scan Your Site