Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
The 'user options' option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).
Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.10
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where databaseVersion like 'SQLSERVER%' should not have settings.databaseFlags contain [ name like 'user options']
REMEDIATION
From Portal
- Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
- Click Edit Configurations
- Scroll down to the Flags section.
- Click the X next 'user options' flag shown
- Click Save to save your changes.
- Confirm your changes under Flags on the Overview page.
From Command Line
- Clearing all flags to their default value
gcloud sql instances patch INSTANCE_NAME --clear-database-flags
OR
- To clear only 'user options' database flag, configure the database flag by overriding the 'user options'.
Exclude 'user options' flag and its value, and keep all other flags you want to configure.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...)
From TF
resource "google_sql_database_instance" "test" {
database_version = "SQLSERVER_2019_EXPRESS"
settings {
database_flags {
- name = "user options"
}
}
}
References
- https://cloud.google.com/sql/docs/sqlserver/flags
- https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15
- https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago