Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'

Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.02
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'mysql%' should have settings.databaseFlags contain [ name like 'local_infile' and value like 'off' ]

REMEDIATION

Attention! Doing the steps below will restart your machine.

From Portal

1. Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
2. Click Edit Configurations
3. Under flags section, choose add flag, look for local_infile and choose value - off.
4. Save and review your changes

From TF
Set the flag 'local_infile' to 'off':

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'local_infile'
			value = 'off'
		}
	}
}

From Command Line

1. First retrieve all existing flags values:

gcloud sql instances describe INSTANCE_NAME

2. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.

gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),local_infile=off

References

1. https://cloud.google.com/sdk/gcloud/reference/sql/instances/describe
2. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--database-flags
3. https://cloud.google.com/sql/docs/mysql/flags
4. https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

• CloudGuard GCP All Rules Ruleset
• GCP CIS Controls V 8
• GCP CIS Foundations v. 1.1.0
• GCP CIS Foundations v. 1.2.0
• GCP CIS Foundations v. 1.3.0
• GCP CIS Foundations v. 2.0
• GCP CloudGuard Best Practices
• GCP MITRE ATT&CK Framework v12.1
• GCP NIST 800-53 Rev 5