Benchmark: SQL
Description
This section contains recommendations for configuring SQL resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select SQL.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_sqlSnapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_sql --shareControls
- Prevent a public IP from being assigned to a Cloud SQL instance
- Check if Cloud SQL instances have SSL turned on
- Ensure that Cloud SQL database instances are configured with automated backups
- MySql Instances should have binary log enabled
- Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure Instance IP assignment is set to private
- Ensure that 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance is Set to 'on' For Centralized Logging
- Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
- Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
- Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
- Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
- Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
- Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'
- Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- SQL Instances should have labels configured
- Check if Cloud SQL instances are world readable