Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter

Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.LOG.17
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'POSTGRES%' should have settings.databaseFlags contain [ name like 'log_min_error_statement' and value in('debug5','debug4','debug3','debug2','debug1','info','notice','warning','error')]

REMEDIATION

From Portal

1. Go to https://console.cloud.google.com/sql/instances and navigate to the instance where the flag needs to be set
2. Click Edit Configurations
3. Under flags section, choose add flag, look for log_min_error_statement and choose value - 'ERROR' or stricter.
4. Save and review your changes

From TF
Set the flag 'log_min_error_statement' to 'error' or stricter.:

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'log_min_error_statement'
			value = 'error' OR stricter
		}
	}
}

From Command Line

1. First retrieve all existing flags values:

gcloud sql instances describe INSTANCE_NAME

2. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.

gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),log_min_error_statement= 'error' OR stricter

References

1. https://cloud.google.com/sql/docs/postgres/flags
2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

• CloudGuard GCP All Rules Ruleset
• GCP CIS Controls V 8
• GCP CIS Foundations v. 1.2.0
• GCP CIS Foundations v. 1.3.0
• GCP CIS Foundations v. 2.0
• GCP CloudGuard Best Practices
• GCP MITRE ATT&CK Framework v12.1
• GCP NIST 800-53 Rev 5