Ensures that the log_min_duration_statement flag is disabled for all the PostgreSQL instances.
Risk Level: Low
Description
This plugin ensures that the log min duration statement flag is disabled for SQL instances of the PostgreSQL type. The log min duration statement flag is available in SQL instances for PostgreSQL databases. When this flag is enabled, it logs the duration of all the completed statements whenever the statements run for a minimum specified amount of time.
About the Service
Google Cloud SQL:
Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here.
Impact
If this flag is enabled, it could log SQL statements that include sensitive data which heavily impacts the security of your data. To ensure that the sensitive data is not accessible to all and to prevent the data from being attacked and misused by attackers, it is highly recommended to disable this flag on all instances.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
- Set Type to PostgreSQL in the Filter box to only see PostgreSQL database instances.
- Select the ID of the SQL instance you want to investigate from the list of instances available and click on the OVERVIEW tab to check the configuration settings of the selected instance.
- In the Database flags section under Configuration, check the configuration of log_min_duration_statement. If it is set to 0 or greater than 0 or if there is no log_min_duration_statement flag set, then the log_min_duration_statement flag is enabled for the selected SQL instance.
(or) - Repeat steps 5 and 6 for all the SQL instances you want to investigate in the selected project.
- If you have multiple projects, repeat steps 2 to 7 for each project in your GCP Console.
Steps for Remediation
Determine whether or not you truly require min duration logs to be enabled for your SQL instances. If not, make the necessary changes to disable it using the steps below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
- Set Type to PostgreSQL in the Filter box to only see PostgreSQL database instances.
- Select the ID of the SQL instance you want to reconfigure in the list of instances available. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- Go to the OVERVIEW tab and click on the Edit button found on the top navigation bar.
- Under the Flags section, set the value of log_min_duration_statement to -1 and click the SAVE button to save all the changes.
Note: If you do not find the log_min_duration_statement flag, click on the Add flag button, choose log_min_duration_statement from the dropdown list provided and set the value to -1 and click on DONE. - Repeat steps 5 to 7 for all the SQL instances you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.