Skip to main content

๐Ÿ›ก๏ธ Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning๐ŸŸข
  • ID: /ce/ca/google/sql/postgresql-instance-log-min-messages-flag
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include (from lowest to highest severity) DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. WARNING is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.

Rationaleโ€‹

Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_min_messages is not set to the correct value, messages may not be classified as error messages appropriately. An organization will need to decide their own threshold for logging log_min_messages flag.

This recommendation is applicable to PostgreSQL database instances.

Impactโ€‹

Setting the threshold too low will might result in increased log storage size and length, making it difficult to find actual errors. Setting the threshold to 'Warning' will log messages for the most needed error messages. Higher severity levels may cause errors needed to troubleshoot to not be logged.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud Consoleโ€‹

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances
  2. Select the PostgreSQL instance for which you want to enable the database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_min_messages from the drop-down menu and set appropriate value.
  6. Click Save to save the changes.
  7. Confirm the changes under Flags on the Overview page.

From Google Cloud CLIโ€‹

  1. Configure the log_min_messages database flag for every Cloud SQL PosgreSQL database instance using the below command.

         gcloud sql instances patch <INSTANCE_NAME> --database-flags log_min_messages=<DEBUG5|DEBUG4|DEBUG3|DEBUG2|DEBUG1|INFO|NOTICE|WARNING|ERROR|LOG|FATAL|PANIC>

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.2.0 โ†’ ๐Ÿ’ผ 6.2.13 Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately - Level 1 (Manual)1no data
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 6.2.6 Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' - Level 1 (Manual)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - Level 1 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ System Configuration45no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-3 Content of Audit Records (L)(M)(H)128no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-7 Audit Record Reduction and Report Generation (M)(H)118no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)265no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-3 Content of Audit Records (L)(M)(H)14no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-3 Content of Audit Records (L)(M)(H)128no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-7 Audit Record Reduction and Report Generation (M)(H)118no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.28 Collection of evidence1421no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.15 Logging1834no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-03: Information is correlated from multiple sources50no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-3 Content of Audit Records31328no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-7 Audit Record Reduction and Report Generation2118no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation44765no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 9.7 Maintain strict control over the storage and accessibility of media.16no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.2 Implement automated audit trails for all system components.7628no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.2.2 All actions taken by any individual with root or administrative privileges.16no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 10.2.5 Use of and changes to identification and authentication mechanisms.116no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 10.2.1 Audit logs are enabled and active for all system components and cardholder data.727no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.16no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7127no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.2-1 Implements Detection Policies, Procedures, and Tools7no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.2-2 Designs Detection Measures7no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.2-3 Implements Filters to Analyze Anomalies918no data