More Info:

external scripts enabled, enables the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.This recommendation is applicable to SQL Server database instances.

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the PostgreSQL External Scripts Enabled Flag Should Be Off misconfiguration for GCP using GCP console, follow these steps:
  1. Open the GCP Console and navigate to the Cloud SQL instances page.
  2. Select the PostgreSQL instance you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Flags” section.
  5. Locate the “external-scripts-enabled” flag and set it to “off”.
  6. Click on the “Save” button at the bottom of the page to save the changes.
After completing these steps, the PostgreSQL External Scripts Enabled Flag will be turned off, and the misconfiguration will be remediated.

To remediate the PostgreSQL External Scripts Enabled Flag misconfiguration for GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to list all the Cloud SQL instances in your GCP project: 
    gcloud sql instances list
  3. Identify the instance for which you want to remediate the PostgreSQL External Scripts Enabled Flag misconfiguration.
  4. Run the following command to update the instance configuration: 
    gcloud sql instances patch [INSTANCE_NAME] --database-flags=external_scripting=false
    Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
  5. Confirm the update by running the following command: 
    gcloud sql instances describe [INSTANCE_NAME]
    This will display the details of your Cloud SQL instance, including the updated configuration.
By following these steps, you can remediate the PostgreSQL External Scripts Enabled Flag misconfiguration for GCP using GCP CLI.
To remediate the PostgreSQL External Scripts Enabled Flag misconfiguration on GCP using Python, you can follow the below steps:
  1. Connect to the GCP project using the google-auth and google-cloud-secret-manager libraries.
from google.auth import credentials
from google.cloud import secretmanager

# Set up credentials
credentials, project_id = google.auth.default()
client = secretmanager.SecretManagerServiceClient(credentials=credentials)
  1. Retrieve the PostgreSQL instance name and configuration details from the GCP Secret Manager.
# Retrieve PostgreSQL instance name and configuration details from Secret Manager
name = "projects/{project_id}/secrets/{secret_name}/versions/latest".format(
    project_id=project_id,
    secret_name="postgres-config"
)
response = client.access_secret_version(name=name)
config = json.loads(response.payload.data.decode("UTF-8"))
  1. Connect to the PostgreSQL instance using the psycopg2 library.
import psycopg2

# Connect to PostgreSQL instance
conn = psycopg2.connect(
    host=config["host"],
    port=config["port"],
    dbname=config["dbname"],
    user=config["user"],
    password=config["password"]
)
  1. Disable the External Scripts Enabled flag by updating the postgresql.conf file.
# Disable External Scripts Enabled flag
with conn.cursor() as cursor:
    cursor.execute("ALTER SYSTEM SET external_scripts_enabled TO off;")
    conn.commit()
  1. Restart the PostgreSQL instance for the changes to take effect.
# Restart PostgreSQL instance
with conn.cursor() as cursor:
    cursor.execute("SELECT pg_reload_conf();")
    conn.commit()
By following these steps, you can remediate the PostgreSQL External Scripts Enabled Flag misconfiguration on GCP using Python.

Additional Reading: