/
sql.sp
389 lines (328 loc) · 18.4 KB
/
sql.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
locals {
sql_compliance_common_tags = merge(local.terraform_gcp_compliance_common_tags, {
service = "GCP/SQL"
})
}
benchmark "sql" {
title = "SQL"
description = "This benchmark provides a set of controls that detect Terraform GCP Cloud SQL resources deviating from security best practices."
children = [
control.sql_instance_automated_backups_enabled,
control.sql_instance_mysql_local_infile_database_flag_off,
control.sql_instance_mysql_skip_show_database_flag_on,
control.sql_instance_postgresql_log_checkpoints_database_flag_on,
control.sql_instance_postgresql_log_connections_database_flag_on,
control.sql_instance_postgresql_log_disconnections_database_flag_on,
control.sql_instance_postgresql_log_duration_database_flag_on,
control.sql_instance_postgresql_log_executor_stats_database_flag_off,
control.sql_instance_postgresql_log_hostname_database_flag_configured,
control.sql_instance_postgresql_log_lock_waits_database_flag_on,
control.sql_instance_postgresql_log_min_duration_statement_database_flag_disabled,
control.sql_instance_postgresql_log_min_error_statement_flag_set,
control.sql_instance_postgresql_log_min_messages_flag_set,
control.sql_instance_postgresql_log_parser_stats_database_flag_off,
control.sql_instance_postgresql_log_planner_stats_database_flag_off,
control.sql_instance_postgresql_log_statement_flag_set,
control.sql_instance_postgresql_log_statement_stats_database_flag_off,
control.sql_instance_postgresql_log_temp_files_database_flag_0,
control.sql_instance_postgresql_pgaudit_database_flag_on,
control.sql_instance_publicly_accessible,
control.sql_instance_require_ssl_enabled,
control.sql_instance_sql_3625_trace_database_flag_off,
control.sql_instance_sql_contained_database_authentication_database_flag_off,
control.sql_instance_sql_cross_db_ownership_chaining_database_flag_off,
control.sql_instance_sql_external_scripts_enabled_database_flag_off,
control.sql_instance_sql_remote_access_database_flag_off,
control.sql_instance_sql_user_options_database_flag_not_configured,
control.sql_instance_sql_with_no_public_ip,
control.sql_instance_using_latest_major_database_version
]
tags = merge(local.sql_compliance_common_tags, {
type = "Benchmark"
})
}
control "sql_instance_automated_backups_enabled" {
title = "Ensure that Cloud SQL database instances are configured with automated backups"
description = "It is recommended to have all SQL database instances set to enable automated backups."
query = query.sql_instance_automated_backups_enabled
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.7"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_mysql_local_infile_database_flag_off" {
title = "Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'"
description = "It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off."
query = query.sql_instance_mysql_local_infile_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.1.3"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_mysql_skip_show_database_flag_on" {
title = "Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'"
description = "It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on."
query = query.sql_instance_mysql_skip_show_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.1.2"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_checkpoints_database_flag_on" {
title = "Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'"
description = "Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on."
query = query.sql_instance_postgresql_log_checkpoints_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.1"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_connections_database_flag_on" {
title = "Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'"
description = "Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts."
query = query.sql_instance_postgresql_log_connections_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.3"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_disconnections_database_flag_on" {
title = "Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'"
description = "Enabling the log_disconnections setting logs the end of each session, including the session duration."
query = query.sql_instance_postgresql_log_disconnections_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.4"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_duration_database_flag_on" {
title = "Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'"
description = "Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start."
query = query.sql_instance_postgresql_log_duration_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.5"
cis_level = "1"
cis_type = "manual"
})
}
control "sql_instance_postgresql_log_executor_stats_database_flag_off" {
title = "Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'"
description = "The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query."
query = query.sql_instance_postgresql_log_executor_stats_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.11"
cis_level = "2"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_hostname_database_flag_configured" {
title = "Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately"
description = "PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line."
query = query.sql_instance_postgresql_log_hostname_database_flag_configured
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.8"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_lock_waits_database_flag_on" {
title = "Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'"
description = "Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock."
query = query.sql_instance_postgresql_log_lock_waits_database_flag_on
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.6"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_min_duration_statement_database_flag_disabled" {
title = "Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)"
description = "The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set."
query = query.sql_instance_postgresql_log_min_duration_statement_database_flag_disabled
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.16"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_parser_stats_database_flag_off" {
title = "Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'"
description = "The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct, a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query."
query = query.sql_instance_postgresql_log_parser_stats_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.9"
cis_level = "2"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_planner_stats_database_flag_off" {
title = "Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'"
description = "The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query."
query = query.sql_instance_postgresql_log_planner_stats_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.10"
cis_level = "2"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_statement_stats_database_flag_off" {
title = "Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'"
description = "The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats)."
query = query.sql_instance_postgresql_log_statement_stats_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.12"
cis_level = "2"
cis_type = "automated"
})
}
control "sql_instance_postgresql_log_temp_files_database_flag_0" {
title = "Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'"
description = "PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging."
query = query.sql_instance_postgresql_log_temp_files_database_flag_0
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.2.15"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_require_ssl_enabled" {
title = "Ensure that the Cloud SQL database instance requires all incoming connections to use SSL"
description = "It is recommended to enforce all incoming connections to SQL database instance to use SSL."
query = query.sql_instance_require_ssl_enabled
tags = merge(local.sql_compliance_common_tags, {
cft_scorecard_v1 = "true"
cis = "true"
cis_item_id = "6.4"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_3625_trace_database_flag_off" {
title = "Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'"
description = "It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off."
query = query.sql_instance_sql_3625_trace_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.6"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_contained_database_authentication_database_flag_off" {
title = "Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'"
description = "It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off."
query = query.sql_instance_sql_contained_database_authentication_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.7"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_cross_db_ownership_chaining_database_flag_off" {
title = "Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'"
description = "It is recommended to set cross DB ownership chaining database flag for Cloud SQL SQL Server instance to off."
query = query.sql_instance_sql_cross_db_ownership_chaining_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.2"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_external_scripts_enabled_database_flag_off" {
title = "Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'"
description = "It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off."
query = query.sql_instance_sql_external_scripts_enabled_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.1"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_remote_access_database_flag_off" {
title = "Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'"
description = "It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off."
query = query.sql_instance_sql_remote_access_database_flag_off
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.5"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_sql_user_options_database_flag_not_configured" {
title = "Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured"
description = "It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured."
query = query.sql_instance_sql_user_options_database_flag_not_configured
tags = merge(local.sql_compliance_common_tags, {
cis = "true"
cis_item_id = "6.3.4"
cis_level = "1"
cis_type = "automated"
})
}
control "sql_instance_postgresql_pgaudit_database_flag_on" {
title = "GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'"
description = "This control checks whether the pgaudit database flag for Cloud SQL PostgreSQL instance is set to 'on'."
query = query.sql_instance_postgresql_pgaudit_database_flag_on
tags = local.sql_compliance_common_tags
}
control "sql_instance_postgresql_log_min_messages_flag_set" {
title = "GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value"
description = "This control checks whether the log_min_messages database flag for Cloud SQL PostgreSQL instance is set to a valid value."
query = query.sql_instance_postgresql_log_min_messages_flag_set
tags = local.sql_compliance_common_tags
}
control "sql_instance_postgresql_log_min_error_statement_flag_set" {
title = "GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower"
description = "This control checks whether the log_min_error_statement database flag for Cloud SQL PostgreSQL instance is set to ERROR or lower."
query = query.sql_instance_postgresql_log_min_error_statement_flag_set
tags = local.sql_compliance_common_tags
}
control "sql_instance_postgresql_log_statement_flag_set" {
title = "GCP SQL PostgreSQL instance should log SQL statements"
description = "This control checks whether the log_statement database flag for Cloud SQL PostgreSQL instance is set to log SQL statements."
query = query.sql_instance_postgresql_log_statement_flag_set
tags = local.sql_compliance_common_tags
}
control "sql_instance_sql_with_no_public_ip" {
title = "GCP SQL instance should not have public IP address"
description = "This control checks whether the GCP SQL instance has a public IP address."
query = query.sql_instance_sql_with_no_public_ip
tags = local.sql_compliance_common_tags
}
control "sql_instance_using_latest_major_database_version" {
title = "GCP SQL instance should be using latest major database version"
description = "This control checks whether the GCP SQL instance is using the latest major database version."
query = query.sql_instance_using_latest_major_database_version
tags = local.sql_compliance_common_tags
}
control "sql_instance_publicly_accessible" {
title = "GCP SQL instance should not be publicly accessible"
description = "This control checks whether the GCP SQL instance is publicly accessible."
query = query.sql_instance_publicly_accessible
tags = local.sql_compliance_common_tags
}