🛡️ Google Cloud PostgreSQL Instance Log_checkpoints Database Flag is not set to On🟢

• Contextual name: 🛡️ PostgreSQL Instance Log_checkpoints Database Flag is not set to On🟢
• ID: /ce/ca/google/sql/postgresql-instance-log-checkpoints-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.

Rationale

Enabling log_checkpoints causes checkpoints and restart points to be logged in the server log. Some statistics are included in the log messages, including the number of buffers written and the time spent writing them. This parameter can only be set in the postgresql.conf file or on the server command line. This recommendation is applicable to PostgreSQL database instances.

Audit

This policy flags a Google SQL Instance as INCOMPLIANT if the log_checkpoints Database Flags is not set to on.

The Instance is marked as INAPPLICABLE if its not a PostgreSQL instance.

Default Value

By default log_checkpoints is off.

References

1. https://cloud.google.com/sql/docs/postgres/flags
2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT

Additional Information

WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the PostgreSQL instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_checkpoints from the drop-down menu and set the value as on.
6. Click Save.
7. Confirm the changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the log_checkpoints database flag for every Cloud SQL PosgreSQL database instance using the below command.

   gcloud sql instances patch <INSTANCE_NAME> --database-flags "log_checkpoints"=on

   Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data