🛡️ Google Cloud PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on🟢

• Contextual name: 🛡️ PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on🟢
• ID: /ce/ca/google/sql/postgresql-instance-cloudsql-enable-pgaudit-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances

Description

Open File

Description

Ensure the cloudsql.enable_pgaudit database flag for a Cloud SQL PostgreSQL instance is set to on to allow centralized logging.

Rationale

As numerous recommendations in this section involve enabling flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgAudit extension within PostgreSQL and enabling its corresponding flag cloudsql.enable_pgaudit. This flag and extension enable database auditing in PostgreSQL through the open-source pgAudit extension. The extension provides detailed session and object logging to comply with government, financial, and ISO standards, and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation sends these logs to Google Logs Explorer so that you can access them in a central location. This recommendation is applicable only to PostgreSQL database instances.

... see more

Remediation

Open File

Remediation

Initialize the pgAudit flag

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Select the instance to open its Overview page.
3. Click Edit.
4. Scroll down and expand Flags.
5. To set a flag that has not been set on the instance before, click Add item.
6. Enter cloudsql.enable_pgaudit for the flag name and set the flag to on.
7. Click Done.
8. Click Save to update the configuration.
9. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

Run the following command by providing {{instance-name}} to enable the cloudsql.enable_pgaudit flag.

gcloud sql instances patch {{instance-name}} \
    --database-flags cloudsql.enable_pgaudit=on

Note: RESTART is required to get this configuration in effect.

Creating the extension

1. Connect to the server running PostgreSQL or use a SQL client of your choice.

2. If you are using SSH, open the PostgreSQL shell by typing psql.

3. Run the following command as a superuser:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.3.0 → 💼 6.2.9 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			77		no data