Description

Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.

Rationale

As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.

Impact

Enabling the pgAudit extension can lead to increased data storage requirements and to ensure durability of pgAudit log records in the event of unexpected storage issues, it is recommended to enable the Enable automatic storage increases setting on the instance. Enabling flags via the command line will also overwrite all existing flags, so you should apply all needed flags in the CLI command. Also flags may require a restart of the server to be implemented or will break existing functionality so update your servers at a time of low usage.

Audit

Determining if the pgAudit Flag is set to 'on'

From Google Cloud Console

Go to https://console.cloud.google.com/sql/instances.
Select the instance to open its Overview page.
Click Edit.
Scroll down and expand Flags.
Ensure that cloudsql.enable_pgaudit flag is set to on.

From Google Cloud CLI

Run the command by providing <INSTANCE_NAME>. Ensure the value of the flag is on.

        gcloud sql instances describe <INSTANCE_NAME> --format="json" | jq '.settings|.|.databaseFlags[]|select(.name=="cloudsql.enable_pgaudit")|.value'

Determine if the pgAudit extension is installed

Connect to the the server running PostgreSQL or through a SQL client of your choice.
Via command line open the PostgreSQL shell by typing psql
Run the following command
```
     SELECT * FROM pg_extension;
```
If pgAudit is in this list. If so, it is installed.

Determine if Data Access Audit logs are enabled for your project and have sufficient privileges

From the homepage open the hamburger menu in the top left.
Scroll down to IAM & Admin and hover over it.
In the menu that opens up, select Audit Logs
In the middle of the page, in the search box next to filter search for Cloud Composer API
Select it, and ensure that both 'Admin Read' and 'Data Read' are checked.

Determine if logs are being sent to Logs Explorer

From the Google Console home page, open the hamburger menu in the top left.
In the menu that pops open, scroll down to Logs Explorer under Operations.

In the query box, paste the following and search

     resource.type="cloudsql_database" logName="projects/<your-project-name>/logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry"

If it returns any log sources, they are correctly setup.

Default Value

By default cloudsql.enable_pgaudit database flag is set to off and the extension is not enabled.

References

Additional Information

WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.

Note: Configuring the 'cloudsql.enable_pgaudit' database flag requires restarting the Cloud SQL PostgreSQL instance.

Rationale​

Impact​

Audit​

From Google Cloud Console​

From Google Cloud CLI​

Default Value​

References​

Additional Information​