Google CloudOverview
The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.
Rationale
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.
Impact
Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.
Remediation guidance
From Google Cloud Console
- Go to the
Cloud SQL Instancespage in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances - Select the PostgreSQL instance where the database flag needs to be enabled
- Click
EDIT - Scroll down to the
Flagssection - To set a flag that has not been set on the instance before, click
ADD A DATABASE FLAG, choose the flaglog_min_duration_statementfrom the drop-down menu, and set its value to-1 - Click
SAVE - Confirm the changes under
Flagson theOverviewpage
Using Google Cloud CLI
Configure the log_min_duration_statement database flag for every Cloud SQL PostgreSQL database instance using the below command.
gcloud sql instances patch <instanceName> --database-flags log_min_duration_statement=-1
Note: This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
Default Value
By default log_min_duration_statement is -1.
References
- https://cloud.google.com/sql/docs/postgres/flags
- https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT
Additional information
WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.
Note: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.
Note: Configuring the above flag restarts the Cloud SQL instance.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}
