Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
local_infile flag controls LOAD DATA statement. The local version of this statement has potential security issues and therefore it should not be used. Setting local_infile database flag to off will explicitly cause the server to refuse LOAD DATA LOCAL command. For more information: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html
Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.02
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where databaseVersion like 'mysql%' should have settings.databaseFlags contain [ name like 'local_infile' and value like 'off' ]
REMEDIATION
Attention! Doing the steps below will restart your machine.
From Portal
- Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
- Click Edit Configurations
- Under flags section, choose add flag, look for local_infile and choose value - off.
- Save and review your changes
From TF
Set the flag 'local_infile' to 'off':
resource 'google_sql_database_instance' 'default' {
...
settings {
database_flags {
name = 'local_infile'
value = 'off'
}
}
}
From Command Line
- First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
- Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),local_infile=off
References
- https://cloud.google.com/sdk/gcloud/reference/sql/instances/describe
- https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--database-flags
- https://cloud.google.com/sql/docs/mysql/flags
- https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago