Profile Applicability:

  • Level 1

Description:

The local_infile database flag controls whether the server permits local data loading using the LOAD DATA LOCAL statement. It is recommended to set this flag to OFF for Cloud SQL MySQL instances to prevent potential security vulnerabilities.

Rationale:

The local_infile flag allows client applications to upload local data files to the server using LOAD DATA LOCAL statements. However, this functionality can introduce security risks, as malicious users could exploit this feature to access unauthorized data. Disabling the local_infile flag mitigates this risk by preventing the server from accepting local data loading requests from clients.

Impact:

Disabling the local_infile flag restricts clients from loading local data files into the server using LOAD DATA LOCAL statements. This might impact applications that rely on this feature.

Default Value:

By default, the local_infile flag is set to ON.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                                     

  1. Select a MySQL instance to view its Overview page.

           

  1. Under the Database Flags section, verify that the local_infile flag is listed and set to OFF.

         

From Google Cloud CLI:

List all Cloud SQL database instances:

gcloud sql instances list

Verify that the local_infile flag is set to OFF for each MySQL instance:

gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="local_infile")|.value'

The output should display: "off"


Remediation Steps:
From Google Cloud Console:

  1. Go to the Cloud SQL Instances page.

                           

  1. Select the MySQL instance where the flag needs to be updated.

           

  1. Click Edit.

         

  1. Scroll to the Flags section and click Add a Database Flag.

                         

  1. From the dropdown menu, select the local_infile flag and set its value to OFF.

                       

  1. Save the changes.

                                              

  1. Verify the updated flag under the Flags section on the instance's Overview page.

                   

From Google Cloud CLI:

List all Cloud SQL instances:

gcloud sql instances list

Set the local_infile flag to OFF:

gcloud sql instances patch <INSTANCE_NAME> --database-flags local_infile=off
  1. Note: This command overwrites all existing database flags. To retain existing flags, include them in the command.

Backout Plan:

Re-enable the local_infile flag (if needed): To revert the change, run the following command:

  gcloud sql instances patch [INSTANCE_NAME] --database-flags local_infile=on

Verify the flag configuration again

  gcloud sql instances describe [INSTANCE_NAME] --format=json |       jq '.settings.databaseFlags[] | select(.name=="local_infile")|.value'

Notify stakeholders:

  • Inform the relevant teams about the backout process and any impact on the system or applications relying on local file loading

Review the audit logs to confirm changes:

      gcloud logging read     "protoPayload.methodName='google.cloud.sql.v1beta4.SqlInstancesPatch'"

References:

  1. Google Cloud SQL - Database Flags

  2. MySQL Documentation - local_infile

  3. MySQL Documentation - LOAD DATA LOCAL

Additional Information:

  • Configuring the local_infile flag will restart the Cloud SQL instance, which may cause temporary unavailability.

  • Some database flag changes may affect instance stability and remove the instance from the Cloud SQL SLA. For more details, refer to the Operational Guidelines.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

16.7 Use Standard Hardening Configuration Templates for Application Infrastructure

Apply standard hardening templates for components such as databases, web servers, cloud containers, and PaaS components to maintain secure configurations.