Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'

Trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '**'. This can help prevent disclosure of sensitive information, hence this is recommended to disable this flag.

Suggest Edits

Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.08
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like '3625' and value like 'off' ]

REMEDIATION

From Portal

  1. Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
  2. Click Edit Configurations
  3. Under flags section, choose add flag, look for '3625 (trace flag)' and choose value - off.
  4. Save and review your changes

From TF
Set the flag '3625 (trace flag)' to 'off':

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = '3625'
			value = 'off'
		}
	}
}

From Command Line

  1. First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
  1. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),'3625'=off

References

  1. https://cloud.google.com/sql/docs/sqlserver/flags
  2. https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago