Profile Applicability:

Level 1

Description:

The skip_show_database database flag for Cloud SQL MySQL instances should be set to ON. This configuration prevents users without the SHOW DATABASES privilege from listing all databases, thus enhancing database security.

Rationale:

Enabling the skip_show_database flag limits the visibility of databases to users who lack the necessary privileges. By default, users without the SHOW DATABASES privilege may still see the databases for which they have other permissions. Activating this flag ensures that only authorized users can view database names, reducing the risk of information exposure or unauthorized access.

Impact:

Enabling this flag restricts users from seeing databases unless they possess the required SHOW DATABASES privilege. The configuration change will restart the database instance, which may temporarily disrupt availability.

Default Value:

When creating a MySQL database instance, the skip_show_database flag is not enabled by default.

Audit Steps:

From Google Cloud Console:

  1. Open the Cloud SQL Instances page.

                             

  1. Select the MySQL instance to open its Overview page.

             

  1. Under the Database Flags section, confirm that the skip_show_database flag is set and its value is ON.

        

From Google Cloud CLI:

List all Cloud SQL instances:

gcloud sql instances list

Verify that the skip_show_database flag is set to ON:

gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="skip_show_database")|.value'

The expected output should display: "On"

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                                   

  1. Select the MySQL instance for which you want to enable the skip_show_database flag.

               

  1. Click Edit.

               

  1. Scroll to the Flags section.

                     

  1. Click Add a Database Flag, select skip_show_database from the dropdown, and set its value to ON.

                         

         

  1. Save the changes.

                           

  1. Confirm the updated flag under the Flags section on the instance’s Overview page.

         

From Google Cloud CLI:

List all Cloud SQL instances:

gcloud sql instances list

Configure the skip_show_database flag for each MySQL instance:

gcloud sql instances patch <INSTANCE_NAME> --database-flags skip_show_database=on
  1. Note: This command overwrites all previously set database flags. To retain existing flags, include them in the command.

Backout Plan:

Revert the skip-show-database flag to off (if needed): To revert the change, run the following command:

gcloud sql instances patch [INSTANCE_NAME] --database-flags "skip-show-database=off"

Verify the flag configuration: Run the following command again to ensure that the flag is properly configured:

gcloud sql instances describe [INSTANCE_NAME] --format=json | jq '.settings.databaseFlags[] | select(.name=="skip-show-database")|.value'

Notify stakeholders:

  • Inform the relevant teams about the backout process and any impact on the system or applications relying on database visibility.

Review the audit logs to confirm changes:

gcloud logging read "protoPayload.methodName='google.cloud.sql.v1beta4.SqlInstancesPatch'"

References:

  1. Google Cloud SQL - Database Flags

  2. MySQL Documentation - skip_show_database

Additional Information:

  • Configuring this flag will restart the Cloud SQL instance, causing potential temporary unavailability.

  • Some database flags may impact instance availability or stability and could remove the instance from the Cloud SQL SLA. Refer to the Operational Guidelines.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Restrict access to data by configuring access control lists, ensuring that only authorized users can access local and remote file systems, databases, or applications.

14.6 Protect Information through Access Control Lists

Protect all stored information by enforcing access control lists that limit access to only authorized individuals based on responsibilities and access needs.