Skip to main content

🛡️ Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter🟢

  • Contextual name: 🛡️ PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter🟢
  • ID: /ce/ca/google/sql/postgresql-instance-log-min-error-statement-flag
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic

Similar Policies

Description

Open File

Description

The log_min_error_statement flag defines the minimum message severity levels that are considered an error statement. Messages for error statements are logged with the SQL statement. Valid values include (from lowest to highest severity) DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set.

Rationale

Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_min_error_statement is not set to the correct value, messages may not be classified as error messages appropriately. Considering general log messages as error messages would make it difficult to find actual errors, while considering only stricter severity levels as error messages may skip actual errors in the SQL statements. The log_min_error_statement flag should be set to ERROR or stricter. This recommendation is applicable to PostgreSQL database instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance for which you want to enable the database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_min_error_statement from the drop-down menu, and set the appropriate value.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

  1. Configure the log_min_error_statement database flag for every Cloud SQL PostgreSQL database instance using the following command.

    gcloud sql instances patch {{instance-name}} \
        --database-flags log_min_error_statement={{DEBUG5|DEBUG4|DEBUG3|DEBUG2|DEBUG1|INFO|NOTICE|WARNING|ERROR}}

    Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS GCP v1.2.0 → 💼 6.2.14 Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter - Level 1 (Automated)1no data
💼 CIS GCP v1.3.0 → 💼 6.2.7 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - Level 1 (Automated)1no data
💼 CIS GCP v2.0.0 → 💼 6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - Level 1 (Automated)1no data
💼 CIS GCP v3.0.0 → 💼 6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - Level 1 (Automated)1no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration77no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)137no data
💼 FedRAMP High Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)119no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)273no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)23no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)73no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)137no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)119no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)73no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence1421no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging1834no data
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources65no data
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events100no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
💼 NIST CSF v2.0 → 💼 RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17no data
💼 NIST CSF v2.0 → 💼 RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18no data
💼 NIST CSF v2.0 → 💼 RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records31337no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7 Audit Record Reduction and Report Generation2119no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation44773no data
💼 PCI DSS v3.2.1 → 💼 9.7 Maintain strict control over the storage and accessibility of media.16no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.7633no data
💼 PCI DSS v3.2.1 → 💼 10.2.2 All actions taken by any individual with root or administrative privileges.16no data
💼 PCI DSS v3.2.1 → 💼 10.2.5 Use of and changes to identification and authentication mechanisms.116no data
💼 PCI DSS v4.0.1 → 💼 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.732no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
💼 PCI DSS v4.0 → 💼 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7132no data
💼 PCI DSS v4.0 → 💼 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
💼 PCI DSS v4.0 → 💼 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
💼 SOC 2 → 💼 CC7.2-1 Implements Detection Policies, Procedures, and Tools7no data
💼 SOC 2 → 💼 CC7.2-2 Designs Detection Measures7no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies918no data