📝 Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately 🟢

• Contextual name: 📝 PostgreSQL Instance Log_statement Database Flag is not set appropriately 🟢
• ID: /ce/ca/google/sql/postgresql-instance-log-statement-flag
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • RELIABILITY

Similar Policies

• Cloud Conformity
  • Configure 'log_statement' Flag for PostgreSQL Database Instances

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

The value of log_statement flag determined the SQL statements that are logged. Valid values are:

        • none
        • ddl
        • mod
        • all

The value ddl logs all data definition statements. The value mod logs all ddl statements, plus data-modifying statements.

The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.

A value of ddl is recommended unless otherwise directed by your organization's logging policy.

Rationale

Auditing helps in forensic analysis. If log_statement is not set to the correct value, too many statements may be logged leading to issues in finding the relevant information from the logs, or too few statements may be logged with relevant information missing from the logs. Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities. This recommendation is applicable to PostgreSQL database instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the PostgreSQL instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_statement from the drop-down menu and set appropriate value.
6. Click Save to save your changes.
7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the log_statement database flag for every Cloud SQL PosgreSQL database instance using the below command.

        gcloud sql instances patch <INSTANCE_NAME> --database-flags log_statement=<ddl|mod|all|none>

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.2.4 Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49