Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'
Logging hostnames can incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname. Depending on the setup, this may be non-negligible. Additionally, the IP addresses that are logged can be resolved to their DNS names later when reviewing the logs excluding the cases where dynamic hostnames are used.
Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.LOG.15
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where databaseVersion like 'POSTGRES%' should have settings.databaseFlags contain [ name like 'log_hostname' and value ='on']
REMEDIATION
From Portal
- Go to https://console.cloud.google.com/sql/instances and navigate to the instance where the flag needs to be set
- Click Edit Configurations
- Scroll down to the Flags section
- To set a flag that has not been set on the instance before, click Add item, choose the flag log_hostname from the drop-down menu and the value to On
- Save and review your changes
From TF
Set the flag 'log_hostname' with appropriate value:
resource 'google_sql_database_instance' 'default' {
...
settings {
database_flags {
name = 'log_hostname'
value = 'on'
}
}
}
From Command Line
- First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
- Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),log_hostname='on'
References
- https://cloud.google.com/sql/docs/postgres/flags
- https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated about 1 year ago