Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately

The value of 'log_statement' flag determined the SQL statements that are logged. Valid values are: 'none' | 'ddl' |'mod' |'all' The value 'ddl' logs all data definition statements.The value 'mod' logs all ddl statements, plus data-modifying statements. The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included. A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.

Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.LOG.13
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'POSTGRES%' should have settings.databaseFlags contain [ name like 'log_statement' and value in('ddl', 'mod', 'all') ]

REMEDIATION

From Portal

  1. Go to https://console.cloud.google.com/sql/instances and navigate to the instance where the flag needs to be set
  2. Click Edit Configurations
  3. Under flags section, choose add flag, look for log_statement and choose value - 'ddl' |'mod' |'all'
  4. Save and review your changes

From TF
Set the flag 'log_statement' to <ddl|mod|all> :

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'log_statement'
			value = 'ddl'/'mod'/'all'
		}
	}
}

From Command Line

  1. First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
  1. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),log_statement=<ddl|mod|all>

References

  1. https://cloud.google.com/sql/docs/postgres/flags
  2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5