🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢

• Contextual name: 🛡️ SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢
• ID: /ce/ca/google/sql/sqlserver-instance-cross-db-ownership-chaining-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Disable 'Cross DB Ownership Chaining' Flag for SQL Server Database Instances

Description

Open File

Description

It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.

This flag is deprecated for all SQL Server versions in GCP. Going forward, you cannot set its value to on. However, if you have this flag enabled, we strongly recommend that you either remove the flag from your database or set it to off. For cross-database access, use the Microsoft tutorial for signing stored procedures with a certificate (https://learn.microsoft.com/en-us/sql/relational-databases/tutorial-signing-stored-procedures-with-a-certificate?view=sql-server-ver16).

Rationale

Use the cross db ownership chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or allow cross-database ownership chaining for all databases. Enabling cross db ownership is not recommended unless all of the databases hosted by the SQL Server instance must participate in cross-database ownership chaining and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the SQL Server instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add item, choose the flag cross db ownership chaining from the drop-down menu, and set its value to off.
6. Click Save.
7. Confirm the changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the cross db ownership chaining database flag for every Cloud SQL SQL Server database instance using the following command:

   gcloud sql instances patch {{instance-name}} \
       --database-flags "cross db ownership chaining"=off

   Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			56		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79		no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79		no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24		no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72		no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		13		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	65		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			65		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	65		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	22		no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27		no data