turbot/gcp_compliance

Control: 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off

Description

It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.

external scripts enabled enable the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.This recommendation is applicable to SQL Server database instances.

Remediation

From Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag external scripts enabled from the drop-down menu, and set its value to off.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Command Line

  1. Configure the external scripts enabled database flag for every Cloud SQL SQL Server database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags "external scripts enabled=off"

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

Default Value

By default external scripts enabled is off.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_6_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_6_3_1 --share

SQL

This control uses a named query:

sql_instance_sql_external_scripts_enabled_database_flag_off

Tags