🛡️ Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off🟢

• Contextual name: 🛡️ SQL Server Instance external scripts enabled Database Flag is not set to off🟢
• ID: /ce/ca/google/sql/sqlserver-instance-external-scripts-enabled-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Disable 'external scripts enabled' Flag for SQL Server Database Instances

Description

Open File

Description

It is recommended to set the external scripts enabled database flag for a Cloud SQL SQL Server instance to off.

Rationale

external scripts enabled enables the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. This recommendation is applicable to SQL Server database instances.

Impact

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the SQL Server instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add item, choose the flag external scripts enabled from the drop-down menu, and set its value to off.
6. Click Save to save your changes.
7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the external scripts enabled database flag for every Cloud SQL SQL Server database instance using the following command.

   gcloud sql instances patch {{instance-name}} \
       --database-flags "external scripts enabled"=off

   Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Threat Protection			31		no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data
💼 FedRAMP High Security Controls → 💼 SI-7 Software, Firmware, and Information Integrity (M)(H)	5		2		no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-7 Software, Firmware, and Information Integrity (M)(H)	2		2		no data
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use			4		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7 Software, Firmware, and Information Integrity	17	19	66		no data
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	27		no data
💼 PCI DSS v3.2.1 → 💼 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.			3		no data
💼 PCI DSS v3.2.1 → 💼 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.			3		no data
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			27		no data
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			27		no data
💼 PCI DSS v4.0.1 → 💼 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.			3		no data
💼 PCI DSS v4.0.1 → 💼 6.4.3 All payment page scripts that are loaded and executed in the consumer's browser are managed.			1		no data
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		15	27		no data
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		6	27		no data
💼 PCI DSS v4.0 → 💼 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.			3		no data
💼 PCI DSS v4.0 → 💼 6.4.3 All payment page scripts that are loaded and executed in the consumer's browser are managed.			1		no data
💼 SOC 2 → 💼 CC5.2-1 Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls			1		no data
💼 SOC 2 → 💼 CC5.2-2 Establishes Relevant Technology Infrastructure Control Activities			7		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC5.2-4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities			1		no data