Pete Finnigan's Oracle Security Weblog

We were asked by a customer whether PFCLScan can generate SQL reports instead of the normal HTML, PDF, MS Word reports so that they could potentially scan all of the databases in their estate and then insert either high level results of the scans (pass / fail, number of issues) into a database and also potentially insert all of the actual detailed results of each policy/test failure.

We can do this and the ability was designed into the product from day 1. This is because we can create reports that are any text based template file. The reporting language of PFCLScan is simple and template based. So you can create a text file that is a template of how you want the report to look - so a nice HTML report, an XML report or even an MS Word document or a SQL*Plus script and then you use the PFCLScan reporting language template variables to insert report data where you need it. That "data" can be from the product, policies, project or scan results of course. So its easy instead to create an SQL file to run instead of a fancy report.

I have written a new blog post on the product website running through an example of how to create SQL reports from PFCLScan.

This makes PFCLScan powerful as its easy to use the output and also to use automation. PFCLScan uses projects to manage each peice of work (a scan of all your databases, or a scan of a single system, or a scan of prod or of dev....) and in each project you manage targets, policy sets and of course the checks defined in the policy sets and also report templates. All of the policies are easily added to a new project so defining a project with what targets you need and what checks you want is quick and simple.

The really cool thing though is that you can also run PFCLScan itself as a check in a policy. You can also run the reporting tool as a check in a policy. This is how we make automation very easy in PFCLScan to achieve powerful results and also to simplify the tasks that you need to do. So, for example one project can be created that reads an Excel sheet with a list of databases that need to be scanned. It tests if each can be reached first and for those that can be it generates a PFCLScan project for each to run. Then it runs each project to perform a detailed scan of each database and then runs a report for each. This means that once set up (and each part is just projects and policies and checks configured in the normal way) you can run one project and supply one Excel sheet and scan any number of databases on demand each day from the GUI or from the command line and also bring in inserting data to a vulnerability database if needed.

We will post a new blog next week on the PFCLScan Website showing a simple example of this automation in PFCLScan to complement the SQL report demo in this new blog post.

Remember also that our pricing model is simple and very competitive; we charge per installation of our software not the number of databases that you scan so its very cost effective to use PFCLScan.