Ensure that the "local_infile" database flag is disabled for your Google Cloud MySQL database instances, in order to follow data security best practices.
The "local_infile" database flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the "local_infile" configuration settings, the MySQL server can refuse or allow local data loading by clients that have LOCAL capabilities enabled on the client side. To explicitly make the MySQL database server to refuse LOAD DATA LOCAL statements (regardless of how client applications and libraries are configured at build time or runtime), you can start mysqld server executable with "local_infile" flag disabled. Due to security issues associated with the "local_infile" database flag, it is strongly recommended to disable it for production MySQL database instances.
Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the MySQL instance from the Google Cloud SQL Service Level Agreement (SLA).
To determine if "local_infile" flag is disabled for your Google Cloud MySQL database instances, perform the following operations:
Remediation / Resolution
To turn off the "local_infile" database flag for your Google Cloud Platform (GCP) MySQL database instances, perform the following actions:Note: Disabling "local_infile" makes the database instance refuse local data loading by clients that have LOCAL parameter enabled on the client side.
- Google Cloud Platform (GCP) Documentation
- Cloud SQL for MySQL
- Configuring database flags
- Editing instances
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Disable "local_infile" Flag for MySQL Database Instances
Risk level: Medium