Skip to main content

๐Ÿ›ก๏ธ Google Cloud SQL Server Instance user options Database Flag is configured๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ SQL Server Instance user options Database Flag is configured๐ŸŸข
  • ID: /ce/ca/google/sql/sqlserver-instance-user-options-flag
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.

Rationaleโ€‹

The user options option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).

A user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.

Impactโ€‹

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud Consoleโ€‹

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. Click the X next user options flag shown
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLIโ€‹

  1. List all Cloud SQL database Instances

         gcloud sql instances list

  2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands.

Clearing all flags to their default value

        gcloud sql instances patch <INSTANCE_NAME> --clear-database-flags

OR

To clear only user options database flag, configure the database flag by overriding the user options. Exclude user options flag and its value, and keep all other flags you want to configure.

        gcloud sql instances patch <INSTANCE_NAME> --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.2.0 โ†’ ๐Ÿ’ผ 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access57no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-1 Policy and Procedures (L)(M)(H)3no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)3130no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)212no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)31833no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-9 Configuration Management Plan (M)(H)8no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SA-3 System Development Life Cycle (L)(M)(H)4no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SA-8 Security and Privacy Engineering Principles (L)(M)(H)6no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SA-10 Developer Configuration Management (M)(H)3no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-1 Policy and Procedures (L)(M)(H)3no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)29no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)11no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)29no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SA-3 System Development Life Cycle (L)(M)(H)4no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SA-8 Security and Privacy Engineering Principles (L)(M)(H)6no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-1 Policy and Procedures (L)(M)(H)3no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)330no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)112no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)333no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-9 Configuration Management Plan (M)(H)8no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SA-3 System Development Life Cycle (L)(M)(H)4no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SA-8 Security and Privacy Engineering Principles (L)(M)(H)6no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SA-10 Developer Configuration Management (M)(H)3no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.1 User end point devices813no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.9 Configuration management12no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction3no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced3no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission3no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes10no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles25no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-01: Improvements are identified from evaluations26no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties40no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities41no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations15no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-1 Policy and Procedures3no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration729no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-6 Configuration Settings412no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-7 Least Functionality923no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-9 Configuration Management Plan18no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SA-3 System Development Life Cycle34no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SA-8 Security and Privacy Engineering Principles338no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SA-10 Developer Configuration Management73no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7139no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.7 Requirement to review firewall and router rule sets at least every six months.9no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.8no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5332no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.9no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.1 Configuration standards are developed, implemented, and maintained.13no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.9no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.1 Configuration standards are developed, implemented, and maintained.13no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.1-2 Monitors Infrastructure and Software811no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.1-3 Implements Change-Detection Mechanisms3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.1-4 Detects Unknown or Unauthorized Components3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-1 Manages Changes Throughout the System Lifecycle3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-2 Authorizes Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-3 Designs and Develops Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-4 Documents Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-5 Tracks System Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-6 Configures Software3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-7 Tests System Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-8 Approves System Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-9 Deploys System Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-10 Identifies and Evaluates System Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-12 Creates Baseline Configuration of IT Technology3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-13 Provides for Changes Necessary in Emergency Situations3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-14 Manages Patch Changes3no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC8.1-15 Considers System Resilience3no data