From e7418203668a849ea1deb579de829f569f7eeb5f Mon Sep 17 00:00:00 2001 From: FUJITA Yuki Date: Thu, 23 Mar 2023 18:13:25 +0900 Subject: [PATCH 1/3] fix the condition --- .../gcp/policies/queries/sql/sqlserver_trace_flag_on.sql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql index 186f94003f71f2..88260cbd80efbe 100644 --- a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql +++ b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql @@ -11,13 +11,13 @@ SELECT gsi.name :'execution_time'::timestamp AS execution_time, :'framework' AS framework, :'check_id' AS check_id, - 'Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "off" (Automated)' AS title, + 'Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "on" (Automated)' AS title, gsi.project_id AS project_id, CASE WHEN gsi.database_version LIKE 'SQLSERVER%' AND (f->>'value' IS NULL - OR f->>'value' != 'off') + OR f->>'value' != 'on') THEN 'fail' ELSE 'pass' END AS status From 49127fd8e813ae6aad95ca516da2e53250093443 Mon Sep 17 00:00:00 2001 From: cq-bot Date: Thu, 23 Mar 2023 09:35:21 +0000 Subject: [PATCH 2/3] chore: Update code and docs --- website/pages/docs/plugins/sources/gcp/policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/pages/docs/plugins/sources/gcp/policies.md b/website/pages/docs/plugins/sources/gcp/policies.md index c6f5398d08ed0e..2725c063bcbe6a 100644 --- a/website/pages/docs/plugins/sources/gcp/policies.md +++ b/website/pages/docs/plugins/sources/gcp/policies.md @@ -106,7 +106,7 @@ GCP CIS v1.2.0 performs the following checks: - Ensure "user connections" database flag for Cloud SQL SQL Server instance is set as appropriate (Automated) - Ensure "user options" database flag for Cloud SQL SQL Server instance is not configured (Automated) - Ensure "remote access" database flag for Cloud SQL SQL Server instance is set to "off" (Automated) - - Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "off" (Automated) + - Ensure "3625 (trace flag)" database flag for Cloud SQL SQL Server instance is set to "on" (Automated) - Ensure that the "contained database authentication" database flag for Cloud SQL on the SQL Server instance is set to "off" (Automated) - Ensure that the Cloud SQL database instance requires all incoming connections to use SSL (Automated) - Ensure that Cloud SQL database instances are not open to the world (Automated) From c7d74c66be234f6eea17984d2e433f46fcd0c478 Mon Sep 17 00:00:00 2001 From: Aruneko Date: Wed, 29 Mar 2023 19:28:19 +0900 Subject: [PATCH 3/3] add notification comment --- .../gcp/policies/queries/sql/sqlserver_trace_flag_on.sql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql index 88260cbd80efbe..2953585473c8c9 100644 --- a/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql +++ b/plugins/source/gcp/policies/queries/sql/sqlserver_trace_flag_on.sql @@ -5,7 +5,8 @@ -- OR settings_database_flags ->> '3625' != 'off' -- OR settings_database_flags ->> '3625' IS NULL); - +-- In the original document in CIS GCP v1.2.0, it describes the configuration should be 'off', but it is a typo. +-- This constraint has been updated on CIS GCP v1.3.0, this flag should be 'on'. INSERT INTO gcp_policy_results (resource_id, execution_time, framework, check_id, title, project_id, status) SELECT gsi.name AS resource_id, :'execution_time'::timestamp AS execution_time,