Guides
  1. google policies
  2. GCP CloudSql

Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'

Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.LOG.15
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'POSTGRES%' should have settings.databaseFlags contain [ name like 'log_hostname' and value ='on']

REMEDIATION

From Portal

  1. Go to https://console.cloud.google.com/sql/instances and navigate to the instance where the flag needs to be set
  2. Click Edit Configurations
  3. Scroll down to the Flags section
  4. To set a flag that has not been set on the instance before, click Add item, choose the flag log_hostname from the drop-down menu and the value to On
  5. Save and review your changes

From TF
Set the flag 'log_hostname' with appropriate value:

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'log_hostname'
			value = 'on'
		}
	}
}

From Command Line

  1. First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
  1. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),log_hostname='on'

References

  1. https://cloud.google.com/sql/docs/postgres/flags
  2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago