📝 Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟢

• Contextual name: 📝 SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟢
• ID: /ce/ca/google/sql/sqlserver-instance-3625-flag
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Disable '3625' Trace Flag for SQL Server Database Instances

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to on.

Rationale

Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors. This recommendation is applicable to SQL Server database instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the SQL Server instance for which you want to enable to database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add item, choose the flag 3625 from the drop-down menu, and set its value to on.
6. Click Save to save your changes.
7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the 3625 database flag for every Cloud SQL SQL Server database instance using the below command.

        gcloud sql instances patch <INSTANCE_NAME> --database-flags "3625=on"

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Data Protection and Recovery			10