Control: 6.2.8 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Description
The log_min_duration_statement
flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement
is disabled, i.e., a value of -1
is set.
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.
Remediation
From Console:
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Select the PostgreSQL instance where the database flag needs to be enabled.
- Click
Edit
. - Scroll down to the Flags section.
- To set a flag that has not been set on the instance before, click
Add item
, choose the flaglog_min_duration_statement
from the drop-down menu and set a value of-1
. - Click
Save
. - Confirm the changes under
Flags
on the Overview page.
From Command Line:
- List all Cloud SQL database instances using the following command:
gcloud sql instances list
- Configure the log_min_duration_statement flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch <INSTANCE_NAME> --database-flags log_min_duration_statement=-1
Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v130_6_2_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v130_6_2_8 --share
SQL
This control uses a named query:
sql_instance_postgresql_log_min_duration_statement_database_flag_disabled