Skip to main content

πŸ“ Google Cloud SQL Server Instance user options Database Flag is configured 🟒

  • Contextual name: πŸ“ SQL Server Instance user options Database Flag is configured 🟒
  • ID: /ce/ca/google/sql/sqlserver-instance-user-options-flag
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.

Rationale​

The user options option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).

A user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.

Impact​

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. Click the X next user options flag shown
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI​

  1. List all Cloud SQL database Instances

         gcloud sql instances list

  2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands.

Clearing all flags to their default value

        gcloud sql instances patch <INSTANCE_NAME> --clear-database-flags

OR

To clear only user options database flag, configure the database flag by overriding the user options. Exclude user options flag and its value, and keep all other flags you want to configure.

        gcloud sql instances patch <INSTANCE_NAME> --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3124
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)324
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices813
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-1 Policy and Procedures3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration723
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-9 Configuration Management Plan18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles337
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-10 Developer Configuration Management73
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.7 Requirement to review firewall and router rule sets at least every six months.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5330
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-3 Implements Change-Detection Mechanisms3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-4 Detects Unknown or Unauthorized Components3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-1 Manages Changes Throughout the System Lifecycle3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-2 Authorizes Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-3 Designs and Develops Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-4 Documents Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-5 Tracks System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-6 Configures Software3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-7 Tests System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-8 Approves System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-9 Deploys System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-10 Identifies and Evaluates System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-12 Creates Baseline Configuration of IT Technology3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-13 Provides for Changes Necessary in Emergency Situations3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-14 Manages Patch Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-15 Considers System Resilience3