π Google Cloud PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on π’
- Contextual name: π PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on π’
- ID:
/ce/ca/google/sql/postgresql-instance-cloudsql-enable-pgaudit-flag - Located in: π Google Cloud SQL
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
RELIABILITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure
cloudsql.enable_pgauditdatabase flag for Cloud SQL PostgreSQL instance is set toonto allow for centralized logging.Rationaleβ
As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of
cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.... see more
Remediationβ
Remediationβ
Initialize the pgAudit flagβ
From Google Cloud Consoleβ
- Go to https://console.cloud.google.com/sql/instances.
- Select the instance to open its
Overviewpage.- Click
Edit.- Scroll down and expand
Flags.- To set a flag that has not been set on the instance before, click
Add item.- Enter
cloudsql.enable_pgauditfor the flag name and set the flag toon.- Click
Done.- Click
Saveto update the configuration.- Confirm your changes under
Flagson theOverviewpage.From Google Cloud CLIβ
Run the below command by providing
<INSTANCE_NAME>to enablecloudsql.enable_pgauditflag.gcloud sql instances patch <INSTANCE_NAME> --database-flags cloudsql.enable_pgaudit=onNote:
RESTARTis required to get this configuration in effect.Creating the extension
- Connect to the the server running PostgreSQL or through a SQL client of your choice.
- If SSHing to the server in the command line open the PostgreSQL shell by typing
psql- Run the following command as a superuser.
... see more