Control: 6.2.2 Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Description
The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are TERSE, DEFAULT, and VERBOSE.
TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information.
VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error.
Ensure an appropriate value is set to DEFAULT or stricter. Default value for log_error_verbosity flag is DEFAULT.
Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_error_verbosity is not set to the correct value, too many details or too few details may be logged. This flag should be configured with a value of DEFAULT or stricter. This recommendation is applicable to PostgreSQL database instances.
Remediation
Perform the following action to check log_error_verbosity
flag is set to DEFAULT or stricter:
From Console:
- Login to GCP console and navigate to Cloud SQL Instances.
- Select the PostgreSQL instance to open its instance Overview page.
- Go to Configuration card.
- Under Database flags, check the value of
log_error_verbosity
flag is set toDEFAULT
or stricter.
Perform the following action to add log_error_verbosity
flag is set to DEFAULT or stricter:
- Login to GCP console and navigate to Cloud SQL Instances.
- Select the PostgreSQL instance for which you want to enable the database flag.
- Click EDIT.
- Under Flags section, click ADD FLAG.
- choose the
flag log_error_verbosity
from the drop-down menu and set appropriate value. - Click SAVE to save your changes.
From Command Line:
- List all Cloud SQL database Instances
gcloud sql instances list
- Configure the log_error_verbosity database flag for every Cloud SQL PostgreSQL database instance using the below command.
gcloud sql instances patch INSTANCE_NAME --database-flags log_error_verbosity=<TERSE|DEFAULT|VERBOSE>
Note
- This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
- Configuring the above flag does not require restarting the Cloud PostgreSQL instance.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v120_6_2_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v120_6_2_2 --share
SQL
This control uses a named query:
manual_control