Control: 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off
Description
It is recommended to set external scripts
enabled database flag for Cloud SQL SQL Server instance to off
.
external scripts enabled
enable the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.This recommendation is applicable to SQL Server database instances.
Remediation
From Console
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Select the SQL Server instance for which you want to enable to database flag.
- Click
Edit
. - Scroll down to the
Flags
section. - To set a flag that has not been set on the instance before, click
Add item
, choose the flagexternal scripts enabled
from the drop-down menu, and set its value tooff
. - Click
Save
to save your changes. - Confirm your changes under
Flags
on the Overview page.
From Command Line
- Configure the
external scripts enabled
database flag for every Cloud SQL SQL Server database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags "external scripts enabled=off"
Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
Default Value
By default external scripts enabled
is off
.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v300_6_3_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v300_6_3_1 --share
SQL
This control uses a named query:
sql_instance_sql_external_scripts_enabled_database_flag_off