π Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off π’
- Contextual name: π SQL Server Instance cross db ownership chaining Database Flag is not set to off π’
- ID:
/ce/ca/google/sql/sqlserver-instance-cross-db-ownership-chaining-flag - Located in: π Google Cloud SQL
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
RELIABILITY
Similar Policiesβ
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
It is recommended to set
cross db ownership chainingdatabase flag for Cloud SQL SQL Server instance tooff.This flag is deprecated for all SQL Server versions in CGP. Going forward, you can't set its value to on. However, if you have this flag enabled, we strongly recommend that you either remove the flag from your database or set it to off. For cross-database access, use the Microsoft tutorial for signing stored procedures with a certificate (https://learn.microsoft.com/en-us/sql/relational-databases/tutorial-signing-stored-procedures-with-a-certificate?view=sql-server-ver16).
Rationaleβ
Use the
cross db ownershipfor chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enablingcross db ownershipis not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Select the SQL Server instance for which you want to enable to database flag.
- Click
Edit.- Scroll down to the
Flagssection.- To set a flag that has not been set on the instance before, click
Add item, choose the flagcross db ownership chainingfrom the drop-down menu, and set its value tooff.- Click
Save.- Confirm the changes under
Flagson the Overview page.From Google Cloud CLIβ
Configure the
cross db ownership chainingdatabase flag for every Cloud SQL SQL Server database instance using the below command:gcloud sql instances patch <INSTANCE_NAME> --database-flags "cross db ownership chaining"=offNote: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ System Configuration | 24 |