Skip to main content

πŸ“ Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟒

  • Contextual name: πŸ“ PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟒
  • ID: /ce/ca/google/sql/postgresql-instance-log-error-verbosity-flag
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Logic​

Description​

Open File

Description​

The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are:

        β€’ TERSE
β€’ DEFAULT
β€’ VERBOSE

TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information.

VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error.

Ensure an appropriate value is set to DEFAULT or stricter.

Rationale​

Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_error_verbosity is not set to the correct value, too many details or too few details may be logged. This flag should be configured with a value of DEFAULT or stricter. This recommendation is applicable to PostgreSQL database instances.

Impact​

Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance for which you want to enable the database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_error_verbosity from the drop-down menu and set appropriate value.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI​

  1. Configure the log_error_verbosity database flag for every Cloud SQL PosgreSQL database instance using the below command.

     gcloud sql instances patch INSTANCE_NAME --database-flags log_error_verbosity=<TERSE|DEFAULT|VERBOSE>

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.2.2 Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter - Level 2 (Manual _ Not supported, requires a manual assessment)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - Level 2 (Manual)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - Level 2 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration27
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)126
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)263
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)12
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)126
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)63
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1421
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1938
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1942
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources44
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events110
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events79
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events123
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31326
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation2118
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44663
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 9.7 Maintain strict control over the storage and accessibility of media.16
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7725
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.2 All actions taken by any individual with root or administrative privileges.15
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.5 Use of and changes to identification and authentication mechanisms.116
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.724
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.15
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.724
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.15
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1636
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-1 Implements Detection Policies, Procedures, and Tools7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-2 Designs Detection Measures7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-3 Implements Filters to Analyze Anomalies918