Skip to main content

πŸ›‘οΈ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON🟒

  • Contextual name: πŸ›‘οΈ Flexible Server log_checkpoints Parameter is not set to ON🟒
  • ID: /ce/ca/azure/postgresql-database/flexible-server-log-checkpoints-parameter
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, PERFORMANCE

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9b79d91f1

Description​

Open File

Description​

Enable log_checkpoints on PostgreSQL flexible servers.

Rationale​

Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint, which in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Audit​

From Azure Portal​
  1. From Azure Home select the Portal Menu.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. In the filter bar, type log_checkpoints.
  5. Ensure that the VALUE for log_checkpoints is set to ON.
From Azure CLI​

Ensure the below command returns a value of on:

az postgres flexible-server parameter show --resource-group <resourceGroup> --server-name <serverName> --name log_checkpoints
From PowerShell​

Ensure the below command returns a value of on:

Get-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name log_checkpoints

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. In the filter bar, type log_checkpoints.
  5. Set the VALUE for log_checkpoints to ON.
  6. Click Save.

From Azure CLI​

Use the below command to enable log_checkpoints:

az postgres flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name log_checkpoints --value on

From PowerShell​

Update-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name log_checkpoints -Value on

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 4.12 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)726no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62032no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1618no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)425no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)232no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)219no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1518no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.1 Information security requirements analysis and specification66no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security514no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2933no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-2: A System Development Life Cycle to manage systems is implemented69no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria1922no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities35no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events35no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated25no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1719no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81725no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811no data