Skip to main content

πŸ“ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟒

  • Contextual name: πŸ“ SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟒
  • ID: /ce/ca/google/sql/sqlserver-instance-3625-flag
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to on.

Rationale​

Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors. This recommendation is applicable to SQL Server database instances.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag 3625 from the drop-down menu, and set its value to on.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI​

  1. Configure the 3625 database flag for every Cloud SQL SQL Server database instance using the below command.

         gcloud sql instances patch <INSTANCE_NAME> --database-flags "3625=on"

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3124
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)324
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices813
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-1 Policy and Procedures3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration723
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-9 Configuration Management Plan18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles337
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-10 Developer Configuration Management73
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.7 Requirement to review firewall and router rule sets at least every six months.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5330
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-3 Implements Change-Detection Mechanisms3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-4 Detects Unknown or Unauthorized Components3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-1 Manages Changes Throughout the System Lifecycle3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-2 Authorizes Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-3 Designs and Develops Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-4 Documents Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-5 Tracks System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-6 Configures Software3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-7 Tests System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-8 Approves System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-9 Deploys System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-10 Identifies and Evaluates System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-12 Creates Baseline Configuration of IT Technology3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-13 Provides for Changes Necessary in Emergency Situations3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-14 Manages Patch Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-15 Considers System Resilience3