PostgreSQL Misconfigured Logging Duration Flag

ID

gcp_postgresql_misc_loggin_duration_flag

Severity

low

Vendor

GCP

Resource

Logging

Tags

non-reachable

Description

It is recommended when creating a PostgreSQL database to set up log_min_duration_statement to -1 as a best practice to avoid logging sensitive data. However, this may not be necessary if Cloud SQL audit logs is in use.

However, it can also pose a security risk if an attacker can trick into loading a malicious file.

To fix it, you must set -1 for the log_min_duration_statement flag for PostgreSQL instances.

Learn more about this topic at Audit logs.

Examples

---
- name: create a sql instance
  google.cloud.gcp_sql_instance:
    name: test_object
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: log_min_duration_statement
          value: 5
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a sql instance
  google.cloud.gcp_sql_instance:
    name: test_object
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: log_min_duration_statement
          value: -1
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present