Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
The 'log_min_error_statement' flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5
, DEBUG4
, DEBUG3
, DEBUG2
, DEBUG1
, INFO
, NOTICE
, WARNING
, ERROR
, LOG
, FATAL
, and PANIC
. Each severity level includes the subsequent levels mentioned above. Ensure a value of 'ERROR' or stricter is set.
Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.LOG.17
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where databaseVersion like 'POSTGRES%' should have settings.databaseFlags contain [ name like 'log_min_error_statement' and value in('debug5','debug4','debug3','debug2','debug1','info','notice','warning','error')]
REMEDIATION
From Portal
- Go to https://console.cloud.google.com/sql/instances and navigate to the instance where the flag needs to be set
- Click Edit Configurations
- Under flags section, choose add flag, look for log_min_error_statement and choose value - 'ERROR' or stricter.
- Save and review your changes
From TF
Set the flag 'log_min_error_statement' to 'error' or stricter.:
resource 'google_sql_database_instance' 'default' {
...
settings {
database_flags {
name = 'log_min_error_statement'
value = 'error' OR stricter
}
}
}
From Command Line
- First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
- Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),log_min_error_statement= 'error' OR stricter
References
- https://cloud.google.com/sql/docs/postgres/flags
- https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago