id: gcloud-sql-user-options info: name: User Options Flag Enabled in Google Cloud SQL Server Instances author: princechaddha severity: medium description: | Checks if the "user options" database flag is configured for Google Cloud SQL Server instances, which can define global defaults for all database users. impact: | Configuring the "user options" database flag can lead to unintended global defaults for all database users, potentially causing performance issues or undesired behavior. remediation: | Disable the "user options" database flag for your Google Cloud SQL Server instances to avoid global defaults for all database users. reference: - https://cloud.google.com/sql/docs/sqlserver/configure-database-flags tags: cloud,devops,gcp,gcloud,google-cloud-sql,sql-database-flags,gcp-cloud-config flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let sqlInstance of iterate(template.sqlInstances)){ set("sqlInstance", sqlInstance) code(3) }} self-contained: true code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)" extractors: - type: json name: projectIds internal: true json: - '.[].projectId' - engine: - sh - bash source: | gcloud sql instances list --project $projectId --filter='DATABASE_VERSION:SQLSERVER*' --format="json(name)" extractors: - type: json name: sqlInstances internal: true json: - '.[]' - engine: - sh - bash source: | gcloud sql instances describe $sqlInstance --format=json | jq '.settings.databaseFlags // [] | map(select(.name == "user options")) | .[].value' matchers: - type: regex regex: - '^(?:100|[1-9][0-9]?)$' extractors: - type: dsl dsl: - '"The user options database flag is enabled for the SQL Server instance " + sqlInstance + " in project " + projectId + "."' # digest: 490a0046304402203c01857319c55cdc041ae74ddabc606fb98272b5ee6587a17d4650a8a380bc8c02205286226ff88c4459f48beb977f4c2d228b79f3948431dfce05b9aa38fabc68a4:922c64590222798bb761d5b6d8e72950