May 10, 2020. Quietly began shipping Oracle Database 10g and Oracle JDeveloper 10g for the Mac OS X Server in late December, an Oracle spokesperson confirmed. Whether anybody cares is another.
I was switching to a new client this month, so I decided to treat myself to a top-of-the-line 17' Apple MacBook Pro. I've seen a lot of co-workers at AOL walking around the building with the MBP and I was hit with Mac-envy.Vii Preface This guide describes how to install and configure Oracle Database Client 10 g Release 2 (10.2) on Apple Mac OS X (Intel). Audience This guide is intended for anyone responsible for installing Oracle Database Client 10 g Release 2 (10.2) on a single Apple Mac OS X (Intel) system. Oracle Database 10g and Oracle JDeveloper 10g Are Now Shipping. With the certification of Oracle Database 10g on Mac OS X Server and Oracle JDeveloper 10g on Mac OS X, Oracle and Apple deliver a flexible, affordable and easy-to-manage enterprise database platform that is ideal for developing and deploying grid computing solutions. Here are major reasons to develop and deploy Oracle Database. While there isn't an Oracle database version for the Intel chip set, you can install a VMWare Fusion virtual machine and access the database from the Mac OS natively. The Mac Leopard version of the Oracle Client software was released a few months ago. You can find instructions for configuring the Oracle Client software on my blog.
After a few days...Although I still love the machine, my first week did not go smoothly.
My original goal was to install Oracle 10g, and eclipse to emulate the Unix development environment on my MacBook Pro. So I started by downloading Oracle 10g from the Oracle site itself:
Oracle Download Site
There is a link on this page for 'Oracle Database 10g Release 1 (10.1.0.3) for Mac OS X Server'. If you have an Intel-based MacBook Pro like me (Core Duo 2), THIS WILL NOT WORK! I spent hours working through the pre-install documentation over and over again to find out where I was doing wrong.... It turns out that Oracle 10g (as of v10.1.0.3 which was the latest version for OS X on Mac as of July 2007), does not work on Intel-based Macs!
So since I can't run 10g on Mac OS X natively -- I thought I'd use Apple's Boot Camp to run 10g under XP or Vista.
And knowing that the Core Duo 2 chips are 64-bit chips - I purchased a copy of Vista 64-bit Home Premium. That was the start of my second mistake.
Apple Boot Camp
Although Windows Vista 64-bit Home Premium was booting on my MacBook Pro, I had no networking support, no sound, and no ATI exhanced graphics support. After struggling with Boot Camp for another few hours, I discovered, that Boot Camp v1.3 (the latest as of July 2007) does not work with 64-bit Windows operating systems! Well, it actually does, but you won't have audio drivers, network drivers, camera, extended keyboard, or extended USB support.
After more research, I stumbled upon this link which describes how to install a Red-Hat clone using Parallels in Mac OS X in order to run Oracle 10g.
Install Oracle 10g on an Intel Mac
If I found this link first, I might have been willing to try it. But at this point, I was exhausted. So I took the easy route.
This is the solution I eventually settled upon:
- Install Apple Boot Camp (free). Be sure to the read the Boot Camp documentation, you will need a blank CD-R and a real installation disk of some variant of a 32-bit Windows operating system (XP, or Vista).
- Partition your drive via Boot Camp. I chose NTFS for my file-system.
- Install Windows XP via Boot Camp
- After the full XP installation is completed, you will need to run the Boot Camp CD that was burned by Boot Camp while in the fresh-Windows installation in order to install Windows drivers for all the MacBook Pro devices.
This all worked perfectly -- and now I could dual-boot my MacBook Pro and have a true Windows environment or true OS X environment.
Random Mac Tips:
- Hold the 'Option' key to choose which partition you want to use while booting.
- Press the TrackPad while booting to eject the CD
Next I installed 'Oracle Database 10g Release 2 (10.2.0.1.0) for Microsoft Windows' from the Oracle download page.
Oracle download pageImportant Note! If you do not have a fixed IP address, you will need to install the Microsoft Loopback Adapter and choose a fixed IP address. Do this BEFORE installing Oracle, or else you will most likely have to remove and re-install Oracle.
KnowledgeBase article about installing the Microsoft Loopback Adapter
Oracle 10g For Mac Os X Install
Now Oracle 10g should install without a problem.
Then, I decided to push my luck, and try out Parallels. Parallels gives me a virtual Windows machine within a running Mac OS X environment. There is a 15-day free trial available.
Oracle Database 10g For Mac
Parallels Desktop for Mac
Parallels installed flawlessly, and identified my BootCamp parition and created its own variant of the BootCamp launch configuration.Once completed - Windows XP was running within a window on my Mac OS X desktop!
One last piece was missing though, the Mac could not communicate to Oracle within Parallels Desktop. By default, XP Home installs a Windows Firewall. What Parallels does is create two separate virtual machines running on the same MacBook Pro. So although they are on the same desktop and same machine, they cannot talk to each other because Windows has its own Firewall.
Visit the Windows Control Panel / Firewall Settings, and add Oracle-friendly-ports such as 1158, 1521, and 5560.
Now - within a single desktop environment - I can build applications in Java on OS X while accessing Oracle 10g on Windows.
Findings (MAC III - Administrative Sensitive)
Oracle 10g For Mac
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-2608 | High | The Oracle Listener should be configured to require administration authentication. | Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit ... |
| V-3812 | High | Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. | Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS. |
| V-15104 | High | Sensitive data served by the DBMS should be protected by encryption when transmitted across the network. | Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. |
| V-15636 | High | Passwords should be encrypted when transmitted across the network. | DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
| V-5658 | High | Vendor supported software is evaluated and patched against newly found vulnerabilities. | Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. |
| V-15658 | Medium | The DBMS warning banner should meet DoD policy requirements. | Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message ... |
| V-15110 | Medium | Use of the DBMS installation account should be logged. | The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost. |
| V-15111 | Medium | Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions. | The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional ... |
| V-15116 | Medium | The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements. | The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components. |
| V-6756 | Medium | Only necessary privileges to the host system should be granted to DBA OS accounts. | Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system. |
| V-16032 | Medium | Remote administration should be disabled for the Oracle connection manager. | Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service. |
| V-3497 | Medium | The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON. | The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters ... |
| V-15118 | Medium | Remote administrative access to the database should be monitored by the IAO or IAM. | Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to ... |
| V-15652 | Medium | DBMS remote administration should be audited. | When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover ... |
| V-4754 | Medium | Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications. | Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security ... |
| V-15656 | Medium | The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level. | Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any ... |
| V-3813 | Medium | DBMS tools or applications that echo or require a password entry in clear text should be protected from password display. | Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if ... |
| V-3811 | Medium | Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented. | New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with ... |
| V-15122 | Medium | The database should not be directly accessible from public or unauthorized networks. | Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by ... |
| V-15131 | Medium | Sensitive information stored in the database should be protected by encryption. | Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing. |
| V-15132 | Medium | Database data files containing sensitive information should be encrypted. | Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. ... |
| V-15179 | Medium | The DBMS should not share a host supporting an independent security service. | The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides ... |
| V-3827 | Medium | Audit trail data should be reviewed daily or more frequently. | Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely ... |
| V-2422 | Medium | The DBMS software installation account should be restricted to authorized users. | DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially ... |
| V-15621 | Medium | Network access to the DBMS must be restricted to authorized personnel. | Network listeners provide the means to connect to the DBMS from remote systems. Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially ... |
| V-3440 | Medium | Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements. | Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the ... |
| V-15608 | Medium | Access to DBMS software files and directories should not be granted to unauthorized users. | The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. ... |
| V-15126 | Medium | Database backup procedures should be defined, documented and implemented. | Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss. |
| V-15620 | Medium | OS accounts used to execute external procedures should be assigned minimum privileges. | External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS ... |
| V-15651 | Medium | Remote DBMS administration should be documented and authorized or disabled. | Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users. |
| V-15643 | Medium | Access to DBMS security data should be audited. | DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability ... |
| V-15625 | Medium | Recovery procedures and technical system features exist to ensure that recovery is donein a secure and verifiable manner. | A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security ... |
| V-15105 | Medium | Unauthorized access to external database objects should be removed from application user roles. | Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources ... |
| V-15107 | Medium | DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts. | Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise. |
| V-15106 | Medium | DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges. | Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. Monitoring assigned ... |
| V-2612 | Medium | Oracle SQLNet and listener log files should not be accessible to unauthorized users. | The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information ... |
| V-6767 | Medium | The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable. | DBMS systems that do not follow DoD, vendor and/or public best security practices are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical ... |
| V-15102 | Medium | Automated notification of suspicious activity detected in the audit trail should be implemented. | Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data ... |
| V-16055 | Medium | Oracle Application Express or Oracle HTML DB should not be installed on a production database. | The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle. Unauthorized application development can introduce a variety of ... |
| V-15109 | Medium | DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems. | Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the ... |
| V-2423 | Medium | Database software, applications and configuration files should be monitored to discover unauthorized changes. | Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations. |
| V-15141 | Medium | DBMS processes or services should run under custom, dedicated OS accounts. | Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of ... |
| V-15140 | Medium | Procedures and restrictions for import of production data to development databases should be documented, implemented and followed. | Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data ... |
| V-15143 | Medium | Database data encryption controls should be configured in accordance with application requirements. | Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the ... |
| V-3807 | Medium | All applications that access the database should be logged in the audit trail. | Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass ... |
| V-15144 | Medium | Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation. | A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses. |
| V-15147 | Medium | The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files. | Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource ... |
| V-15146 | Medium | The DBMS should not be operated without authorization on a host system supporting other application services. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and ... |
| V-15148 | Medium | DBMS network communications should comply with PPS usage restrictions. | Use of default ports is required in DoD networks to support network security device management. |
| V-15121 | Medium | DBMS software libraries should be periodically backed up. | The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS ... |
| V-15120 | Medium | DBMS backup and restoration files should be protected from unauthorized access. | Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against ... |
| V-15127 | Medium | The IAM should review changes to DBA role assignments. | Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to ... |
| V-4758 | Medium | An upgrade/migration plan should be developed to address an unsupported DBMS software version. | Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan ... |
| V-15659 | Medium | Credentials used to access remote databases should be protected by encryption and restricted to authorized users. | Access to database connection credential stores provides easy access to the database. Unauthorized access to the database can result without controls in place to prevent unauthorized access to the ... |
| V-15618 | Medium | Access to external DBMS executables should be disabled or restricted. | The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally ... |
| V-3862 | Medium | The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0. | The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to ... |
| V-3863 | Medium | The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0. | The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency of active connection verification of a client connection. This prevents indefinite open connections to the database where client ... |
| V-3803 | Medium | A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations. | Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a ... |
| V-15139 | Medium | Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation. | Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches ... |
| V-3842 | Medium | The Oracle software installation account should not be granted excessive host system privileges. | A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the ... |
| V-3806 | Medium | A baseline of database application software should be documented and maintained. | Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS ... |
| V-3825 | Medium | Remote adminstrative connections to the database should be encrypted. | Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. ... |
| V-15129 | Medium | Backup and recovery procedures should be developed, documented, implemented and periodically tested. | Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, ... |
| V-3809 | Medium | A single database connection configuration file should not be used to configure all database clients. | Many sites distribute a single client database connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides ... |
| V-16056 | Medium | Oracle Configuration Manager should not remain installed on a production system. | Oracle Configuration Manager (OCM) is a function of the Oracle Software Configuration Manager (SCM). OCM collects system configuration data used for automated upload to systems owned and managed ... |
| V-16057 | Medium | The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher. | Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, ... |
| V-15662 | Medium | Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports. | Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also ... |
| V-5659 | Medium | The latest security patches should be installed. | Maintaining the currency of the software version protects the database from known vulnerabilities. |
| V-15649 | Medium | The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions. | The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is ... |
| V-15610 | Medium | DBMS should use NIST FIPS 140-2 validated cryptography. | Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken ... |
| V-15108 | Medium | Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes. | The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise ... |
| V-15112 | Low | The DBMS should be periodically tested for vulnerability management and IA compliance. | The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a ... |
| V-3728 | Low | Unused database components, database application software and database objects should be removed from the DBMS system. | Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the ... |
| V-3866 | Low | The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet. | The Oracle Management Agent (Oracle Intelligent Agent in earlier versions) provides the mechanism for local and/or remote management of the local Oracle Database by Oracle Enterprise Manager or ... |
| V-15150 | Low | The DBMS requires a System Security Plan containing all required information. | A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the ... |
| V-16031 | Low | The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts. | The use of IP address in place of host names helps to protect against malicious corruption or spoofing of host names. Use of static IP addresses is considered more stable and reliable than use of ... |
| V-3805 | Low | Application software should be owned by a Software Application account. | File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege ... |
| V-15622 | Low | DBMS service identification should be unique and clearly identifies the service. | Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections. |
| V-2420 | Low | Database executable and configuration files should be monitored for unauthorized modifications. | Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable ... |
| V-3726 | Low | Configuration management procedures should be defined and implemented for database software modifications. | Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and ... |
| V-15145 | Low | The DBMS restoration priority should be assigned. | When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without proper assignment of the priority placed on restoration of the DBMS and its ... |
| V-3845 | Low | OS DBA group membership should be restricted to authorized accounts. | Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database ... |
| V-15138 | Low | The DBMS IA policies and procedures should be reviewed annually or more frequently. | A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current ... |
| V-15611 | Low | The audit logs should be periodically monitored to discover DBMS access using unauthorized applications. | Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to ... |