PostgreSQL External Scripts Enabled Flag Should Be Off

More Info:

external scripts enabled, enables the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.This recommendation is applicable to SQL Server database instances.

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL External Scripts Enabled Flag misconfiguration for GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in your GCP console.
Run the following command to list all the Cloud SQL instances in your GCP project:
```
gcloud sql instances list
```
Identify the instance for which you want to remediate the PostgreSQL External Scripts Enabled Flag misconfiguration.
Run the following command to update the instance configuration:
```
gcloud sql instances patch [INSTANCE_NAME] --database-flags=external_scripting=false
```
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
Confirm the update by running the following command:
```
gcloud sql instances describe [INSTANCE_NAME]
```
This will display the details of your Cloud SQL instance, including the updated configuration.

By following these steps, you can remediate the PostgreSQL External Scripts Enabled Flag misconfiguration for GCP using GCP CLI.

Using Python

To remediate the PostgreSQL External Scripts Enabled Flag misconfiguration on GCP using Python, you can follow the below steps:

Connect to the GCP project using the google-auth and google-cloud-secret-manager libraries.

from google.auth import credentials
from google.cloud import secretmanager

# Set up credentials
credentials, project_id = google.auth.default()
client = secretmanager.SecretManagerServiceClient(credentials=credentials)

Retrieve the PostgreSQL instance name and configuration details from the GCP Secret Manager.

# Retrieve PostgreSQL instance name and configuration details from Secret Manager
name = "projects/{project_id}/secrets/{secret_name}/versions/latest".format(
    project_id=project_id,
    secret_name="postgres-config"
)
response = client.access_secret_version(name=name)
config = json.loads(response.payload.data.decode("UTF-8"))

Connect to the PostgreSQL instance using the psycopg2 library.

import psycopg2

# Connect to PostgreSQL instance
conn = psycopg2.connect(
    host=config["host"],
    port=config["port"],
    dbname=config["dbname"],
    user=config["user"],
    password=config["password"]
)

Disable the External Scripts Enabled flag by updating the postgresql.conf file.

# Disable External Scripts Enabled flag
with conn.cursor() as cursor:
    cursor.execute("ALTER SYSTEM SET external_scripts_enabled TO off;")
    conn.commit()

Restart the PostgreSQL instance for the changes to take effect.

# Restart PostgreSQL instance
with conn.cursor() as cursor:
    cursor.execute("SELECT pg_reload_conf();")
    conn.commit()

By following these steps, you can remediate the PostgreSQL External Scripts Enabled Flag misconfiguration on GCP using Python.

Additional Reading:

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL External Scripts Enabled Flag Should Be Off

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: